Q
Problem solve Get help with specific problems with your technologies, process and projects.

How can Bosch's diagnostic dongle be leveraged by hackers?

Hacks on a car's diagnostic dongle can completely take over the vehicle and even shut off the engine. Expert Judith Myerson explains how this works and how to prevent it from happening.

I hear hackers could shut off a car's engine using flaws in the Bosch Drivelog Connect diagnostic dongle. How is...

this possible? How can this be prevented?

A car can be equipped with third-party gadgets, such as the Bosch diagnostic dongle, which monitors the car's performance to make sure the engine is working properly. The Drivelog Connect app on smartphones pairs with the dongle and sends automatic diagnostic messages to the user when service is necessary to fix engine problems.

But what happens when, one day, the driver gets strange messages through the app? The car may suddenly stop moving, the airbag system won't work or the automotive braking system may fail. An attacker can use a mobile app to exploit a patched flaw in the diagnostic dongle and send unwanted messages over Bluetooth. It's then possible for the attacker to turn off the engine as he drives by his victim.

Researchers at Argus Cyber Security, a firm specializing in car security research, pinpointed the flaws to dongle firmware version 4.8.0 to 4.9.2 and Drivelog Connect app version 1.1 and below.

The diagnostic dongle enabled the researchers to connect to the onboard diagnostics (OBD) without a PIN number during the pairing process. The holes in the car dongle's message filter enabled them to send non-diagnostic messages to the Controller Area Network (CAN) bus on a car. If the PIN was needed, the researchers successfully guessed it offline using the information from the certificate, public key and MAC address.

To mitigate the vulnerabilities, Bosch updated dongle firmware to version 4.9.3. The update limits the commands that the car dongle can accept over the CAN bus. Users should use the mobile apps provided by the Bosch App Center.

In addition to Drivelog Connect, consider using Mobile Scan Bluetooth OBD II Connector as an additional security layer. The app pairs with the Mobile Scan adapter in the car; identifies the car; and checks the fuel system, airbag and automatic braking system.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Read about the driving forces accelerating and decelerating connected car security

Learn more about the DMCA controversy that followed the Chrysler car hack

Find out more about past car hacks

This was last published in June 2017

Dig Deeper on Emerging cyberattacks and threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close