Categories: CyberCrimeSecurity

Researchers Switch Off Car Engine Using Connected Dongle Vulerability

Security researchers have discovered a vulnerability in the Bosch Drivelog Connect car dongles which could enable an attacker to turn off the car’s engine.

The flaws in the dongle and the accompanying smartphone application, discovered by Israeli firm Argus Cyber Security, lets hackers circumvent authentication processes and give commands to cars.

The researchers accessed the dongle through an information leak in the authentication process which allowed them to get the PIN through a brute-force attack and connect to the dongle via Bluetooth.

Security flaw

“Once connected to the dongle, security holes in the message filter of the dongle enabled us to inject malicious messages into the vehicle CAN bus,” said Alexei Kovelman, a software engineer at Argus. “In our research, we were able to turn off the engine of a moving car while within Bluetooth range.

“As troubling as that is, in a more general sense, since we can use the dongle to inject malicious messages into the CAN bus, we may have been able to manipulate other ECUs on the network. If an attacker were to implement this attack method in the wild, we estimate that he could cause physical effects on most vehicles on the road today.”

Kovelman first recreated a car environment in a lab to fool the dongle into thinking it was connected to a vehicle. He did this by recording the data collected from an actual car, before replaying these responses in the external environment.

After analysing the encryption protocols on the dongle itself, the team decided to attack through the smartphone app, specifically through the message filter as the dongle doesn’t properly filter the messages it receives from the app.

In light of the vulnerability, Kovelman advises automotive manufacturers to carry out regular penetration testing, make sure products are designed with security in mind and include multi-layered security solutions.

Car security is fast becoming an extremely serious threat vector and, with the number of connected cars on the roads only continuing to rise, it’s an issue that needs to be plugged sooner rather than later.

Do you know all about security in 2017? Try our quiz!

Sam Pudwell

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Recent Posts

TikTok ‘Halts E-Commerce Expansion Plans’

TikTok reportedly scraps plans to expand TikTok Shop livestream commerce in Europe and US after…

2 hours ago

European Parliament Passes Landmark Tech Regulations

European Parliament votes to adopt Digital Markets Act and Digital Services Act, but campaigners warn…

2 hours ago

Indian Economic Police Raid Offices Of Smartphone Maker Vivo

Indian economic crime agency Enforcement Directorate raids dozens of locations across India belonging to China's…

4 hours ago

French Music Service Deezer Slumps On Market Debut

Spotify and Apple Music competitor Deezer falls below opening price after long-delayed IPO in Paris…

5 hours ago

Foxconn Expects Stronger Sales In Spite Of Economic Gloom

iPhone manufacturer Foxconn revises full-year expectations upward amidst strong consumer and data centre demand, bucking…

6 hours ago

Samsung ‘To See Profits Jump’ On Data Centre Demand

Industry analysts expect Samsung's profits to jump 15 percent for the second quarter as strong…

7 hours ago