Cyber security company reveals vulnerability that lets hackers take control of a car’s engine

Israeli cyber security company Argus has revealed vulnerabilities in Bosch Drivelog Connect USB sticks that allow hackers to bypass authentication and issue commands to cars, including stopping cars’ engines.

In September 2016, Bosch announced its new Drivelog Connect, essentially a USB stick that can be used by drivers to send details about the condition of their vehicle to an accompanying app.

However, Argus has found vulnerabilities in Bosch’s technology, which include an information leak between the Drivelog Connect USB and the Drivelog Connect smart phone app.

The information leak allowed Argus to quickly brute-force the Drivelog Connect’s secret PIN and connect to the USB via Bluetooth. Once connected to the USB, Argus said it could “inject malicious messages” between the various devices, as well as control things like the car’s engine.

Images courtesy of Drivelog/Youtube

“In our research, we were able to turn off the engine of a moving car while within Bluetooth range,” said Argus in a blog post.

“If an attacker were to implement this attack method in the wild, we estimate that he could cause physical effects on most vehicles on the road today.”

In the case of Argus’ attack on Bosch’s Drivelog Connect, hackers need to be in close proximity to the targeted vehicle, but as Kyle Wilhoit, senior security researcher at DomainTools explains, this isn’t always the case.

“Cars are becoming more virtual every day. From anti-lock braking systems to navigation control, the reliance on complex computing across a vehicle is surprising,” said Wilhoit.

“One of the only saving graces to this technology is the attack surface. Typically to attack a vehicle’s onboard systems, the attacker would need to be within physical proximity of the vehicle. This is not always the case, and there are some remote exploit opportunities available, but those are a harder attack surface to compromise.”

Having found that it could gain access to Bosch’s Drivelog Connect, Argus informed Bosch and the company says its Product Security Incident Response Team took “decisive and immediate action to address the vulnerabilities”.

Details of how Argus carried out the attack are available here.

Driverless shuttle begins 2km route trial in London

A prototype autonomous shuttle will begin driverless navigation of a 2km route around the Greenwich Peninsula in London, UK, today. Using advanced sensors and state-of-the-art autonomy software to detect and avoid obstacles, the shuttle will be carrying members of the public as part of a research study contributing to the GATEway Project (Greenwich Automated Transport Environment).

The GATEway Project, led by the Transport Research Laboratory (TRL) and funded by government industry, is aiming to demonstrate the viability of automated vehicles for “last mile” mobility. Rather than more traditional automation, which tends towards robotising existing transport, the project looks instead to enable new forms of mobility in urban environments using automation.

“Last mile” mobility, as related to the project’s automation specifically, is focused on connecting existing transport hubs with residential and commercial areas using a zero-emission, low-noise transport system. It is hoped that the shuttle trial will enable the researchers to judge public acceptance of, and attitudes towards, driverless vehicles.

“This research is another milestone in the UK’s journey towards driverless vehicles and a vital step towards delivering safer, cleaner and more effective transport in our cities,” summarised Professor Nick Reed, academy director at TRL commented.

“It is critical that the public are fully involved as these technologies become a reality. The GATEway Project is enabling us to discover how potential users of automated vehicles respond to them so that the anticipated benefits to mobility can be maximised. We see automated vehicles as a practical solution to delivering safe, clean, accessible and affordable last-mile mobility.”

Focusing on the aspect of public perception, participants will be involved before and after the shuttle ride. Residents and visitors to the Peninsula will also be invited to leave feedback via an interactive map. Beyond a test of the technology itself, significant in enabling the UK as a leader in automated technology, the research aims to provide sociological insight into one of the biggest changes in mobility in recent history.

Images courtesy of GATEway

The shuttle itself uses a state-of-the-art autonomy software system called Selenium, which enables real time, robust navigation, planning, and perception in dynamic environments. Selenium is described as “a vehicle-agnostic, sensor-agnostic autonomy solution”, meaning that it is designed for use across a wide range of vehicles, making use of onboard sensors to locate itself in its map, perceive and track dynamic obstacles around it, and plan a safe obstacle-free trajectory to the goal.

Operating without any reliance on GPS, the shuttle uses high data-rate 3D laser range finders for obstacle detection and tracking, and an additional safety curtain is used in order to maximise safety. A safety steward will be on-board at all times in compliance with automated vehicle testing practices.

The shuttle trial is one of a number of GATEway Project studies currently taking part to assess public reaction to automated vehicles in the UK.