Israeli cyber security company Argus has revealed vulnerabilities in Bosch Drivelog Connect USB sticks that allow hackers to bypass authentication and issue commands to cars, including stopping cars’ engines.
In September 2016, Bosch announced its new Drivelog Connect, essentially a USB stick that can be used by drivers to send details about the condition of their vehicle to an accompanying app.
However, Argus has found vulnerabilities in Bosch’s technology, which include an information leak between the Drivelog Connect USB and the Drivelog Connect smart phone app.
The information leak allowed Argus to quickly brute-force the Drivelog Connect’s secret PIN and connect to the USB via Bluetooth. Once connected to the USB, Argus said it could “inject malicious messages” between the various devices, as well as control things like the car’s engine.
“In our research, we were able to turn off the engine of a moving car while within Bluetooth range,” said Argus in a blog post.
“If an attacker were to implement this attack method in the wild, we estimate that he could cause physical effects on most vehicles on the road today.”
In the case of Argus’ attack on Bosch’s Drivelog Connect, hackers need to be in close proximity to the targeted vehicle, but as Kyle Wilhoit, senior security researcher at DomainTools explains, this isn’t always the case.
“Cars are becoming more virtual every day. From anti-lock braking systems to navigation control, the reliance on complex computing across a vehicle is surprising,” said Wilhoit.
“One of the only saving graces to this technology is the attack surface. Typically to attack a vehicle’s onboard systems, the attacker would need to be within physical proximity of the vehicle. This is not always the case, and there are some remote exploit opportunities available, but those are a harder attack surface to compromise.”
Having found that it could gain access to Bosch’s Drivelog Connect, Argus informed Bosch and the company says its Product Security Incident Response Team took “decisive and immediate action to address the vulnerabilities”.