Argus Cyber Security hacked into a Bosch DriveLog dongle took control of a vehicle and then informed Bosch. Argus Cyber Security and Bosch, announced today that security vulnerabilities were found by Argus researchers in the Bosch DriveLog Connector dongle and in its authentication process with the DriveLog Connect smartphone application which enabled the researchers to take control of a car via Bluetooth. Following a responsible disclosure made by Argus to Bosch, their Product Security Incident Response Team (PSIRT) took decisive and immediate action to address the vulnerabilities.
Argus noted that they concentrated on Android because of its open source nature. They were able to find an opening in the smartphone app to get the access code and then contact the dongel with a Bluetooth device.
The Argus research group succeeded in remotely taking over safety-critical vehicle systems via a Bosch DriveLog Connector dongle installed in the vehicle.
After gaining access to the communications channel, Argus researchers were able to duplicate the message command structure and inject malicious messages into the in-vehicle network. Effectively bypassing the secure message filter that was designed to allow only specific messages, these vulnerabilities enabled the Argus research group to take control of a moving car, demonstrated through remotely stopping the engine.
As soon as Argus found cyber security vulnerabilities in the Bosch DriveLog Connector dongle, Bosch was duly informed. The level of attention the matter received from Bosch top management was significant and their Product Security Incident Response Team worked quickly to immediately address the issues across their security and development divisions.
Bosch expressed its gratitude to the Argus team for the responsible disclosure of these vulnerabilities and their help throughout the process.
Only a short time after being notified Bosch has already implemented an initial fix. It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle. Furthermore, an initial attack requires brute forcing the PIN for a given dongle and sending a malicious CAN message that fits the constraints of the dongle and the vehicle.
Bosch on it website noted that the improper authentication vulnerability in the Bluetooth communication has been mitigated by activating a two-step verification for additional users to be registered to a device. This has been implemented on the server, so no action is required by the user. To further increase security in the authentication process an application and dongle firmware update will also be released. With the mitigation of the improper authentication vulnerability, successful exploitation of the second issue requires the compromise of the user’s information. This can only occur in connection with malicious modification of the mobile application on the user’s phone, i.e. installing of a malicious modified app not provided by BOSCH.
The ability for a maliciously modified mobile application to possibly send unwanted CAN messages will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.
To further increase security a patch that fixes the underlying weaknesses in the encryption protocol will be available shortly. This patch will prevent the kind of attack as described by Argus,. Additional work is also being done to further limit the possibility to send unwanted CAN messages and will be rolled out alongside further improvements later in the year.
In the Argus blog, researchers noted
“The DriveLog platform, including the dongle and mobile app, does a lot of things right. The dongle does not expose any physical interfaces (e.g., its JTAG is firmly disabled), and the dongle is responsible for decrypting firmware upgrades (i.e., the dongle firmware is not easily accessible to attackers). Moreover, all communication between the dongle, the Drivelog Connect app and the backend server is encrypted and the system design clearly places a lot of emphasis on cryptographic security.