
A Remote Attack on the Bosch Drivelog Connector Dongle - _-_T_-_
https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/
======
kylehotchkiss
I went out of my way to buy a vehicle with no GSM chip built in whatsoever
(that's not easy in 2016). Car companies care as little about protecting their
tech as they care about trying to fix USAs lovely car dealership system.

I know this post is about a dongle, but you can remove a dongle from a car at
least. You can't remove the GSM chip from most new cars that's uploading your
location to heaven knows where and how many people have hacked their database
this week.

~~~
gumby
Can't you disconnect / destroy the antenna?

------
Buge
I knew IOT devices generally have weak security, but I didn't anticipate them
so easily being connected to physically dangerous objects like cars. I wonder
how common this will become.

~~~
yetihehe
Most of trucks in europe have gps systems which connect to CAN in order to
measure driver efficiency and vehicle condition. They are also connected via
cellphone network to internet (only sometimes through APN, mobile equivalent
of VPN). All of them have security holes, typically much worse than this
dongle, just no one cared to look at them yet.

~~~
rahkiin
Wouldnt it be possible to have the CAN chip only send data to the iot
microprocessor? So not attaching the Tx but only Rx. As far as I understand
CAN it is a bus everything is dropped on, without an actual request-response
system.

Now everything from the car could be read but nothing can be controlled.

~~~
jasonkostempski
This. One-way communication needs to make a comeback in a big way.

~~~
paulmd
This is fundamentally impossible in a CAN bus, and is stupid and
functionality-limiting anyway. Everyone likes it when the radio turns off when
the ignition does, these systems need to be able to talk to each other to get
the functionality you expect.

What you need is to move away from the non-authenticated bus paradigm
entirely, to a network-based system where some devices may be assumed to be
hostile (which is what you have, like it or not).

This inherently involves authentication and privilege systems, so that the
pedal controllers can prove to the brake controllers who they are, so that
when the radio/head unit tries to interface with the brake controllers the
brake controllers can go "woah, hey, you're not supposed to be touching the
brakes".

This at least would require escalation from a trivial system like the head
unit to a more crucial system, which is a more typical model for exploits in
computer OSs.

This is a workable threat model. "Trust everyone all the time" is no longer,
and hasn't been since we allowed external connectivity to automobile systems.

------
SwedishChemist
Is the Drivelog Connect even necessary?

"Drivelog Connect allows your car to speak to you. Your car directly connects
with your smartphone. All the information becomes available at your
fingertips."

Many of the features the app offers could be made available in the car's
console/monitor.

Like: - automotive diagnostics, display of real-time driving behavior(should
you really be looking at your Smartphone while driving), Logbook for recording
and storage routes...

I don't really see benefit of this app.

------
azinman2
Seems to me that the main thing they could do that's cheap and easy is require
a button press on the device to pair. Unfortunately that's not as simple as a
firmware update.

------
microDude
Actually, I was impressed how much security Bosch included in their device.

For a IoT device I would give this a gold star. I am sure after this report
was given to them, they patched their firmware.

~~~
tyingq
I dunno...the dongle gives up it's certificate so that you can brute force it
offline. It's an 8 digit numeric only pin. 100 million possible PINS, when you
can do 100 million SHA-256 computations in 30 minutes on a typical laptop.
That seems unwise.

And it allows you to send and receive any CAN bus message you want, versus
just some subset of OBDII. As far as I can tell, the features don't require
anything other than querying OBDII for some very small subset of data. So if
the dongle only passed those request packets, and dropped everything else, it
would be miles more secure. Since it appears to be a simple passthrough
device, I'm not sure there's enough horsepower in the dongle to fix that with
firmware.

