Bosch, a leading automotive technology supplier, addressed security concerns in its Drivelog Connector, commonly known as an OBD2 dongle. This advisory sheds light on vulnerabilities identified in the Bosch Obd2 Dongle and its companion smartphone application, providing crucial information for users and the automotive industry.
Bluetooth Pairing Weakness: Brute-Force PIN Vulnerability
One significant issue discovered is related to the Bluetooth pairing process. The “Just Works” pairing method, designed for user convenience, was found to be susceptible to brute-force attacks. An attacker within Bluetooth range could potentially attempt numerous PIN combinations to gain unauthorized access to the dongle. Successful exploitation of this vulnerability could allow malicious actors to interact with the vehicle’s systems via the compromised dongle connection.
Mobile App Manipulation: Risk of Unwanted CAN Messages
Another vulnerability arises from the potential manipulation of the Drivelog Connect mobile application. If a user were to install a maliciously modified version of the app – from sources outside official channels like app stores – it could lead to serious consequences. Such a compromised app could be engineered to send unauthorized commands through the Bosch OBD2 dongle to the vehicle’s Controller Area Network (CAN) bus. This access could, in theory, allow for the injection of malicious CAN messages, potentially affecting vehicle functions. It’s important to note that this attack vector requires the user to willingly install a compromised application, highlighting the importance of app source security.
Bosch’s Mitigations and User Recommendations
Bosch has taken proactive steps to mitigate these identified vulnerabilities. For the Bluetooth pairing issue, they implemented a server-side two-step verification process for new users registering devices. This enhancement strengthens the authentication process without requiring immediate user action. Furthermore, Bosch announced upcoming application and dongle firmware updates to further bolster security. These updates are expected to include refined authentication protocols and stricter limitations on CAN bus commands that the dongle can execute, effectively reducing the attack surface.
It is crucial for users to ensure they only download the official Drivelog Connect application from trusted app stores. Avoiding unofficial sources significantly reduces the risk of installing a compromised application. Keeping both the mobile application and the dongle firmware updated to the latest versions provided by Bosch is also vital for maintaining a secure connection and benefiting from the implemented security enhancements.
Conclusion: Addressing Automotive Cyber Security
This advisory underscores the growing importance of cyber security in connected vehicles. While the identified vulnerabilities in the Bosch OBD2 dongle require physical proximity for exploitation and have been addressed by Bosch, they serve as a reminder of the potential risks associated with connected car technologies. Bosch’s responsive actions and planned updates demonstrate a commitment to addressing these challenges and enhancing the security of their automotive products. Users should remain vigilant, keep their systems updated, and practice safe app installation habits to minimize potential risks.
