Dongles are everywhere and car makers are concerned
Originally introduced as part of a drive to clean up vehicle emissions, the OBD-II monitoring port (OBD: on-board diagnostics) inside modern automobiles offers a convenient connection for users. Good and bad actors have leapt on the vehicle network interface as a relatively open door to not just reading diagnostic data, but also sending information in the other direction and writing commands.
There’s a long list of modifications that can be added to cars (and other vehicles) via the OBD-II port, from animations that trigger taillights in sequence, to codes for unlocking paid-for features at low or no cost. Most worrying, perhaps, is the ability to start the vehicle without an original key, although whether such tools work as advertised remains to be seen.
Right to repair laws have put pressure on OEMs to open up access to various automotive data, beginning with only emissions-related values and later including more diagnostic information (most recently, telematics data has also come under scrutiny, but we’ll save that discussion for another blog post).
The legislation benefits independent garages, fleet management firms and roadside rescue companies, but they are not the only ones connecting things to the OBD-II port. Software and hardware is widely available and the vehicle no longer necessarily has to be physically tethered to a computer. Today, companion apps are available to download onto smartphones and tablets that operate over Bluetooth or Wi-Fi and pair with affordable dongles.
Car-makers have been caught off-guard by the curiosity of consumers who want to make use of the port – for example, to download vehicle history data for checking the provenance of a second-hand car before purchasing. Other drivers may wish to query the diagnostic codes in more detail so that they can anticipate servicing costs and double check the advice they receive at the repair shop. But plugging in an unknown device into your vehicle can cause issues.
Rogue / anomalous behaviour
OBD-II dongles may confuse automotive electronic control units, either unintentionally – presenting the user with an unexpected repair bill – or intentionally, allowing a bad actor to conduct fraud.
In the trucking sector, plug-in devices can be used to mislead engine management systems into thinking that vehicles are topped up with diesel exhaust fluid (a liquid used to breakdown emissions into less harmful chemicals) and that NOx levels are fine when in fact they are not. Their legitimate use case is to allow a truck to be driven to a service centre when a sensor has failed, but diesel exhaust fluid is an additional cost to hauliers and cheap dongles put temptation into the hands of unscrupulous operators. And it’s not just trucks, some modern diesel cars use exhaust fluid too – although in much lower quantities (for example, even SUVs will only use around 1.5 L per 1000 km whereas trucks could consume hundreds of litres every week).
Type ‘OBD-II dongle’ into the search engine of your choice and you’ll find a wide range of devices that could appeal to the desires of bad actors such as those wanting to manipulate a vehicle’s mileage (see blog – ‘Mileage tampering: odometer fraudsters remain a concern for the automotive industry’) or, as mentioned above, attempt to program a new key. Also, attackers could exploit wireless devices that drivers have left plugged into their vehicles if they are able to establish a connection.
Finally, although more annoying than harmful, bogus dongles are also one to add to the watch list. Teardowns have found that some OBD-II devices don’t provide the functionality they advertise and are barely nothing more than a blinking LED in a box.
Defensive strategies in use
What can be done? A few years ago, concern in the industry resulted in the Society of Automobile Engineers forming a ‘Data Link Connector Vehicle Security Committee’ featuring a number of automotive and heavy truck OEMs, plus other agencies and regulators.
In general, car makers appear keen to close down data access via OBD-II, at least under some conditions such as when the vehicle is in motion to reduce the use of third-party devices.
Certainly, vendors are paying close attention to access control – for example, through security gateways added to new vehicles. Here, gaining access to the full range of OBD-II functions, requires that individuals and repair shops must first register their diagnostic tools online. However, not everyone appears to be complying with these instructions as a number of ‘bypass’ boxes and cables can be found for sale on the web.
Another take on protecting vehicle diagnostics is based on the use of activation tokens, made available via dealer portals, to allow servicing. The scheme automatically locks ECUs at the end of a fault-finding session or after a period of 90 minutes, whichever comes first.
However, what if correctly registered tools get into the wrong hands? In the past, security researchers have shown that reverse engineering of diagnostic equipment can yield the necessary security keys for re-flashing vehicle firmware. Drawing attention to this, the US National Highway Traffic Safety Administration (in the recently updated ‘Cybersecurity Best Practices for the Safety of Modern Vehicles’) calls on vehicle and diagnostic tool manufacturers to provide ‘appropriate authentication and access control’.
Removal of the OBD-II Port
Some car manufacturers have the option of getting rid of the OBD-II port entirely – for example, one electric vehicle manufacturer produces their cars without the familiar 16 pin connector. In this case, presumably because the vehicle has no exhaust emissions to monitor. Fuel cell vehicles could be exempt too from OBD requirements, as suggested by US Environmental Protection Agency documentation.
This has not prevented drivers from seeking access to their vehicles. Interested owners have found connectors under the cup holders and behind the front seats in these vehicles, which can be used with OBD-II equipment, including wireless dongles, via an adapter. From a security perspective, this demonstrates the futility of hiding information and access in vehicles which are in the public domain.
A false sense of security?
As shown, the OBD-II port has attracted a lot of interest from a range of parties and while solutions have emerged to limit access, these are merely sticking plasters which are unlikely to stand the test of time. Fundamentally what OEMs need to take into account is that:
- Drivers would like more data and information from their vehicles – OEMs should start to ‘swim with the tide’ and provide a way for vehicle owners to get this information, rather than seek to prevent access. Doing the opposite will only cause more hacking and access attempts.
- The writing is on the wall for legacy vehicle networks. A concerted effort is needed to transition away from unauthenticated networks with no integrity protection – both for the automotive industry and in the policy space.
Creating modern methods for facilitating the right-to-repair of vehicles, whilst maintaining the safety and security integrity of critical components is a key challenge that automotive and other industries now face.
Overall, a defense-in-depth strategy is the only way to create a secure vehicle, featuring multiple layers of security controls. This offers additional safeguards should one or more steps fail. Additional controls will raise the bar for an attacker, but they should be robust and not easily side-stepped, otherwise the investment is useless.
Responding to these challenges, the Secure-CAV project is developing fast-acting, cybersecurity solutions that can be embedded deep in automotive electronic hardware.
About the authors
James Tyrrell is a Threat Modelling Analyst at Copper Horse
David Rogers is a security specialist and CEO of Copper Horse