The OBD has manufacturers worried

Peter Els

The motoring world was shocked back in 2015 when Charlie Miller and Chris Valasek remotely took control of a Jeep; up until then the industry believed the greatest security threat was direct access to the OBD port in the vehicle. The thought of someone remotely taking control or injecting malware into the complex network upped the game to a whole new level.

But if the world thought this was as bad as it could get, Miller and Valasek were about to shatter the cyber security calm once again: This time with an even more spectacular attack implemented through the OBD port in the vehicle.

Hackers with direct access to the vehicle wreak havoc

Unlike the previous attack, Miller and Valasek weren’t able to take control over the Internet: Due to the efficacy of FCA’s security patch they could only access the vehicle with a laptop directly plugged into the Jeep’s CAN network via the OBD port under the dashboard.

Instead of focusing on the initial wireless foothold, this time the hackers targeted a set of safeguards deeper in the vehicles network.

Vehicle CAN network components are designed to resist certain dangerous digital signals: The diagnostic mode that Miller and Valasek originally used to disable the Jeep’s brakes wouldn’t work at speeds above five miles per hour, and the automatic parking assist feature they used to turn the steering wheel only worked when the vehicle was in reverse and traveling at low speeds.

So this time, instead of merely compromising one of the electronic control units (ECUs) on the target car’s CAN network and using it to spoof messages to the car’s steering or brakes, they also attacked the ECU that sends legitimate commands to those systems, which would otherwise contradict their malicious commands and prevent an attack.

By putting the second ECU into “bootrom” mode, which is also the first step in updating the ECU’s firmware that a mechanic might use to fix a bug by connecting through the OBD port, they were able to freeze that ECU and send malicious commands to the target system without interference.

“You have one computer in the car telling it to do one thing and we’re telling it to do something else,” says Miller. “Essentially our solution is to knock the other computer offline.”

Once they’d accomplished this they were able to override contradicting signals that instruct the parking brake not to activate, for instance, and thus bring the vehicle to a halt from any speed in seconds. And in combination with another vulnerability they found in the steering module ECU, they could knock out the steering so that the wheel resists the driver’s attempts to turn it, at the same time allowing the hackers to turn the wheel at any speed.

And Fiat Chryslers response? “This demonstration required a computer to be physically connected into the vehicle’s onboard diagnostic port and be present in the vehicle. It appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.”

But what if they had indeed found another means to hack the Can network over the air?

Zubie’s connected car service plugs into the OBD port and opens up communication with the cloud!

This is exactly what Israeli automotive cyber security pioneer, Argus Cyber Security, discovered when evaluating third party connected car software supplier, Zubie’s, telematics software. Zubie is a leading connected car service that allows the owner, among other things, to track their driving habits, detect possible malfunctions through the vehicle’s OBD and share a location with friends using a very intuitive mobile application.

All this is made possible by hooking the Zubie device into the OBD-II port of the car, with the device then communicating with the internal network of the vehicle and, through a mobile GPRS modem, connecting to the Zubie cloud.

The cyber security vulnerability, discovered by Argus, would allow an attacker to wirelessly and remotely take control of a vehicle’s mission critical systems such as the engine, brakes, and steering.

During their evaluation Argus found that every time the device accessed the control server (in order to report the status of the vehicle), it was susceptible to receiving in response a configuration update via its “config_url” command. Reacting to the response, the device would download the new configuration file containing the hackers holy grail, the OBD has manufacturers worried 4 instructions to update and overwrite specific files on the device.

Since the entire communication is based on the non-secure HTTP protocol, the device was not verifying the authenticity of its control server. In addition, the downloaded software updates were not digitally signed. This meant that an attacker who was able to take over the server or its DNS address could send malicious software updates to the invehicle device.

One practical method of taking over the DNS address would be to hijack the GPRS cellular connection between the device and its server by setting up a rogue base station and performing what’s commonly referred to as a “Man-In-The-Middle” attack.

Argus was able to execute such an attack and set up a “malicious” server that communicated with the in-vehicle device and sent loaded software updates by responding with config_url=config. tmp to the HTTP requests. This caused the device to download the new config. tmp configuration file that instructed the device to update its main boot_base.pyo file.

By so-doing the researchers were able to install a Trojan horse on the Zubie device that effectively allowed them to take control of the vehicle.

With the OBD-II port providing direct access, through the CAN bus, to the internal, most critical and sensitive systems in the vehicle injecting a malevolent agent on the Zubie device would allow malicious messages to be sent over the vehicle’s bus, thereby influencing certain of the vehicle’s modules to, for example, unlock the doors or influence the instrument cluster.

Furthermore, having accessed the Can network hackers would be able to take control of other critical functions such as the brakes, engine and steering. The more advanced the vehicle is, more of its systems are computer controlled, which means the damage such a breach can cause is even greater.

Additionally by installing a Trojan it would be possible to also keep track of the vehicle’s location, track the driving behaviour and transmit this data to an unauthorised third party. This clearly violates passengers’ privacy.

Even more concerning is the fact that such an attacker would be able to remotely take control of a Zubie equipped vehicle from anywhere in the world.

Regulators offer guidance

With highly connected cars starting to make their appearance government agencies across the globe are beginning to get involved in mitigating the cyber security threat. In September 2016, the month before the National Highway Safety Administration released the ‘Cybersecurity Best Practices for Modern Vehicles’ guide, the Energy and Commerce Committee sent NHTSA a letter raising questions concerning cybersecurity risks related to On Board Diagnostics (“OBD-II”) ports, calling on NHTSA to establish an industry-wide working group on the subject.

The Cybersecurity Guidance does not directly address OBD-II ports, though it does call for operational limits on “control vehicle maintenance diagnostic access” and calls on the automotive industry to consider the effects of aftermarket devices like insurance dongles and cell phones that are connected to vehicle information systems.

As a result, in its response to the Energy and Commerce Committee, NHTSA indicated that at their request, “SAE International has started a working group that is looking to explore ways to harden the OBD-II port.”

So for now the industry plays cat and mouse with the hackers.


Company information according to § 5 Telemediengesetz
IQPC Gesellschaft für Management Konferenzen mbH
Address: Friedrichstrasse 94, 10117 Berlin
Tel: 49 (0) 30 20 913 -274
Fax: 49 (0) 30 20 913 240
Registered at: Amtsgericht Charlottenburg, HRB 76720
VAT-Number: DE210454451
Management: Silke Klaudat, Richard A. Worden, Michael R. Worden

Firmeninformationen entsprechend § 5 Telemediengesetz
IQPC Gesellschaft für Management Konferenzen mbH
Adresse: Friedrichstrasse 94, 10117 Berlin
Telefonnummer: 030 20913 -274
Fax: 49 (0) 30 20 913 240
Email Adresse:
Registereintragungen: Amtsgericht Charlottenburg HRB 76720
Umsatzsteuer- Indentifikationsnummer DE210454451
Geschäftsführung: Silke Klaudat, Richard A. Worden, Michael R. Worden