Car Gadgets are becoming increasingly popular, promising to enhance your driving experience with features ranging from real-time vehicle diagnostics to usage-based insurance tracking. These devices, often plugged into your car’s OBD2 port, offer convenience and connectivity. However, lurking beneath the surface of these handy tools are potential security vulnerabilities that could leave your vehicle – and your data – exposed to cyber threats.
Recent research has brought to light the significant security risks associated with certain OBD2 dongles, tiny devices that connect to your car’s onboard computer system. Researchers at the University of California, San Diego (UCSD) uncovered critical flaws in dongles from a company called Mobile Devices, revealing how easily these gadgets could be exploited to gain unauthorized access to a vehicle’s control systems.
These findings highlight a broader concern within the burgeoning market of car gadgets: the potential for security to be overlooked in the rush to innovate and connect our vehicles. While manufacturers tout the benefits of telematics and smart car technology, the underlying security infrastructure may not always be robust enough to withstand determined hackers.
One of the most concerning discoveries by the UCSD team was the ease with which they could access and manipulate the Mobile Devices dongles. They found that the “developer” mode was inexplicably enabled, essentially leaving the backdoor wide open for anyone to gain entry. Using a common protocol called SSH, hackers could remotely access these devices. Furthermore, a single, shared private key across all devices meant that once compromised, any dongle of that type could be easily controlled. This “root” access gave attackers complete command over the gadget’s functions.
Adding to the vulnerability, these dongles were configured to accept commands via SMS, a communication method notoriously lacking in strong security measures. By simply sending text messages to the device from a designated phone number, malicious actors could rewrite the firmware or issue direct commands to the connected vehicle. Imagine the possibilities – and the dangers – of someone remotely manipulating your car’s systems through a simple text message.
These vulnerabilities aren’t isolated incidents. The UCSD research focused on Mobile Devices dongles, but other similar devices have also come under scrutiny. Progressive’s Snapshot, another OBD2 plug-in used for telematics-based insurance, was previously identified as having serious security weaknesses by researcher Corey Thuen. While Thuen’s findings didn’t include a live demonstration of an attack, the potential for exploitation was clear. Similarly, cybersecurity firm Argus revealed hackable flaws in the Zubie, an OBD2 device designed for personal driving efficiency tracking.
While companies like Coordina, whose devices were also flagged as potentially vulnerable, have responded by claiming that the identified issues pertain to older versions and that they are working on replacements, the underlying message remains clear: the security of car gadgets needs to be taken seriously. TomTom Telematics, Coordina’s parent company, argued that their devices were not susceptible to SMS attacks due to the non-public nature of their SIM card numbers. However, the UCSD researchers countered that they could bypass this by using brute-force guessing to send SMS messages, although they hadn’t specifically tested this on Coordina devices.
The implications of these vulnerabilities extend beyond individual consumers. With government initiatives promoting the use of telematics systems in federal vehicle fleets to enhance efficiency, the potential scale of risk becomes significantly larger. Thousands of government-owned vehicles could soon be equipped with these internet-connected dongles, potentially creating a vast network of vulnerable entry points.
As Karl Koscher, one of the UCSD researchers, wisely advises, “Think twice about what you’re plugging into your car.” In an era of increasing connectivity, it’s crucial for both consumers and manufacturers of OBD2 devices to prioritize security. While the convenience and features of car gadgets are appealing, understanding and mitigating the potential security risks is paramount. The question consumers should ask themselves is: “Is this car gadget exposing me to more risk, and am I okay with that?” The answer may determine whether the benefits of these devices outweigh the potential cost to your vehicle’s security and your personal data.
