Chester Dawson reports in the Wall Street Journal:
The Federal Bureau of Investigation issued a public service announcement warning about the risk posed to connected vehicles by malicious hackers. It specifically cited the potential threat of unauthorized remote access to vehicle diagnostic ports, noting the increasingly popularity of dongles used for insurance and other monitoring purposes.
An Israeli cybersecurity firm is raising fresh concerns about hackers taking control of moving cars, remotely shutting down an engine with the help of a smartphone app, a Bluetooth connection and a type of device commonly plugged into ports located under vehicle dashboards.
Argus Cyber Security Ltd. said Thursday it was able to use a so-called dongle, a device often installed by insurance companies to monitor driving patterns or by owners wanting in-vehicle Wi-Fi, to crack into a vehicle’s internal communication system. The firm, well known in automotive circles, triggered a signal meant to disable the fuel pump, something that normally would happen only after a collision.
Argus didn’t disclose the model of car it hacked, noting most cars on the road have a diagnostic port designed for a dongle device. The breach is the latest in a series of high-profile hacks, including an incident two years ago staged by two security researchers who controlled a Jeep Cherokee via a wireless internet connection.
Cars are increasingly connected to external communications, prompting computer experts to exploit holes in firewalls installed by auto makers to separate media features from more critical functions, such as engines, transmissions or brakes. With more than 250 million vehicles on U.S. roads, industry executives have said beefing up controls is a priority.
“These firewalls are really new and immature in their security measures,” Ami Shalev, Argus research team leader, said in an interview.
Tesla Inc. and other auto makers have responded to hacks by bolstering security. Fiat Chrysler Automobiles NV, the maker of the Jeep hacked in 2015, recalled 1.4 million vehicles. Car companies have launched programs encouraging hackers to help identify vulnerabilities.
While dongles are made by several companies for various purposes, Argus’s latest hacking experiment used a device from German auto supplier Robert Bosch GmbH called Drivelog Connect, sold in Europe for about $75. The device collects vehicle data and sends it to a smartphone via a Bluetooth connection, alerting owners to maintenance issues and engine performance.
Bluetooth-enabled dongles, which can also provide a Wi-Fi connection, are a potential Trojan horse for any car built since 1996. That is when diagnostic access points, known as OBD-II ports and usually located by the steering column, became mandatory equipment on automobiles.
The market for connected-car technology using diagnostic ports is expected to grow to $1.6 billion by 2020, up from $160 million in 2013, according to San Antonio-based market research firm Frost Sullivan. Insurers’ use of dongles alone is expected to reach 27 million vehicles by the end of the decade, Ptolemus Consulting Group estimates.
Last year, the Federal Bureau of Investigation issued a public service announcement warning about the risk posed to connected vehicles by malicious hackers. It specifically cited the potential threat of unauthorized remote access to vehicle diagnostic ports, noting the increasingly popularity of dongles used for insurance and other monitoring purposes.
Argus said the hack, executed in Tel Aviv in February in a controlled environment, could be replicated on other models using the Bosch tool. “We estimate we can do that on any car,” said Yaron Galula, Argus’s chief technology officer and co-founder.
Bosch said its device is only distributed in Germany and is now equipped with a stopgap measure to ward off intrusions pending a more permanent fix.
“A patch that fixes the underlying weaknesses in the encryption protocol will be available shortly,” said Thorsten Kuhles, head of Bosch’s product security incident response team. “This patch will prevent the kind of attack as described by Argus.”
Bosch said sales of the product, which made its debut last May, have been “in the low four figures.” It declined to say if it has plans to market Drivelog Connect in the U.S.
Argus in January announced a partnership with a unit of Continental Corp. , a large German-based auto parts supplier that competes globally with Bosch.