The Risks Posed by Wireless Automotive DonglesResearchers Find Widespread Vulnerabilities in These Diagnostic Devices
Haohuang Wen's 2015 Honda Civic wasn't in top shape after he used it as a test subject.
Wen, a doctoral student in Ohio State University's Department of Computer Science and Engineering, was investigating wireless dongles that plug into a vehicle's Onboard Diagnostic, or OBD-II, port, which is usually located under the dashboard.
Wireless OBD-II dongles are essentially the same as the wired OBD scanners used by mechanics for decades to read fault codes generated by a vehicle when something's wrong. The devices collect diagnostic data but also can allow for remote actions. Wireless dongles are also used by insurance companies to set rates based on a driver's behavior.
Wen wanted to see if wireless OBD-II dongles, which can run Wi-Fi, Bluetooth or Bluetooth Low Energy, were vulnerable to attack. Wen and his advisers, Professor Zhiqiang Lin of Ohio State University and Qi Alfred Chen of the University of California, Irvine, will present their findings on Thursday at the 29th Usenix Security Symposium. The findings suggest consumers should be cautious with wireless OBD dongles until their security improves.
In one of their experiments, Wen took his Honda Civic to an empty lot with a dongle plugged into it. Then he connected to the dongle with his laptop and sent random commands - an exercise known as fuzzing - that were funneled to the vehicle's CAN bus, which is essentially the brain of the vehicle. The car's alert systems went haywire.
"I found it's very dangerous behavior," Wen says. "My vehicle started to behave abnormally."
Every Device Vulnerable
Over the last few years, there's been a flood of cheap wireless OBD-II dongles introduced to the market. Wireless OBD-II dongles are available for as little as $30, and they're usually paired with a mobile app. Problems have been found with them before. In 2017, Argus Cyber Security found vulnerabilities in Bosch's Drivelog Connector that could be exploited to shut down the car's engine while the vehicle was in motion.
But the researchers found that virtually all the wireless dongles on the market have at least two types of vulnerabilities, making them potentially dangerous to drivers. In some cases, it may be possible for dongles to be taken over while someone is driving, allowing an attacker to inject commands into the CAN bus that could cause the vehicle to behave erratically.
To test the security of wireless OBD-II dongles, the researchers bought every available wireless one on Amazon's U.S. site in February 2019. The 77 dongles were examined for potential vulnerabilities.
Their analysis discovered five types of vulnerabilities affecting wireless dongles, four of which were new. Also, each of the 77 dongles had at least two vulnerabilities.
Eighty-five percent of the dongles had a lack of authentication at the connection or application layers, allowing anyone in range to connect. That's dangerous because the OBD-II port has direct access to a vehicle's CAN bus, which distributes messages to critical systems.
"Nearby attackers can use Wi-Fi or Bluetooth to connect, and you can control the vehicle," says Lin, the associate professor at Ohio State University who co-authored the study.
One-third of the devices allow simultaneous connections to the wireless dongle, even if the vehicle owner's own mobile device is connected to it. Nearly 68 percent of the dongles allowed undefined CAN bus messages to be sent. Undefined CAN messages should be filtered out by the wireless dongle to prevent mishaps.
While wireless dongles should be limited to querying diagnostic information, two models supported non-diagnostic functions. One dongle model can disable remote door locking, turn off the seat belt warnings and modify the parking sensor, they write in their research paper.
The danger can be compounded if drivers leave the wireless dongles plugged into their vehicles. Some dongles can remain active and open to connections, drawing power from a vehicle's battery even if the vehicle is off and unattended.
Vehicle manufacturers use different types of CAN messages, which are often proprietary and would require in-depth research to discover. But as Wen did by fuzzing his own car, random messages could be injected without necessarily knowing the result, which could mean unintended consequences.
The researchers have released a tool called DongleScope, which can automatically detect vulnerabilities in one of the devices. The tool is on their GitHub page.
The researchers contacted dongle manufacturers to warn them of the issues. Of 29 vendors, which covered about 61% of the dongles examined, only a handful of them responded after three months.
Two vendors committed to deploying better authentication, while others who responded said they were still mulling the issues. For one-third of dongles, the researchers were unable to even identify the manufacturer.
Wen says consumers can take certain safety precautions. For example, using Bluetooth-based dongles are a safer bet because those devices usually allow only one connection to be made at a time - unlike Wi-Fi devices, which allow multiple connections. Another tip: Unplug wireless dongles when they leave the vehicle.
"The dongles with higher prices tend to have fewer vulnerabilities but more security features," Wen says. "If customers can afford it and they would like to secure their vehicles, they can choose such dongles."
Lin adds: "You have to be cautious. You have to know that you may have purchased a device that allows bad guys to access your vehicle freely."
As far as his Honda Civic, Wen was able to restore it to working order again. He ended up using another wireless dongle to reset the CAN bus, which resolved the issues.
"It's back to normal, fortunately," he says.