With all this talk about the coming electric and self-driving vehicles coming to market in the near future, the conversation almost always turns to cyber-security. What if I told you that you may actually be facing the same type of risk or worse RIGHT NOW in the vehicle you are driving. Yup, I am talking about an accessible connection under your car’s dashboard near your knees called the OBD II port.
Required by Federal law in all cars, light trucks, minivans, crossovers and SUVs since 1996, the acronym stands for On-Board Diagnostic port. The initial purpose of this port was to diagnose digital trouble codes relating to engine malfunctions that could result in a higher level of vehicle emissions. These codes would be stored for a time in the engine computer and accessible by a service technician, often with an OBD II diagnostic reader.
In recent years, that port has come to do so much more – and by proxy – represents the greatest present cybersecurity risk to your vehicle over the last twenty years. In today’s vehicles, the OBD II Data Link Connector is the main connector in the vehicle through which all systems are diagnosed and reprogrammed. When this port was originally designed, security was not considered.
Researchers at the University of Washing and the University of California examined the security around the OBD and found that they were able to gain control over many vehicle components via the interface. Worse, they were also able to upload new firmware into the engine control units.
As of 2016, the Federal Bureau of Investigation (yes, THAT FBI), has recommended that “vehicle owners should check with the security and privacy policies of the third-party device manufacturers and service providers, and they should NOT connect any unknown or untrusted devices to the OBD II port.” The National Highway Traffic Safety Administration (NHTSA) takes things a step further. The federal agency recommends limiting access to third parties during vehicle operation. Aftermarket devices such as mobile phones, USB devices and ESPECIALLY dongles that plug into the OBD II port are especially mentioned by NHTSA as risk factors.
A Carnegie Mellon University study commissioned by the Department of Homeland Security named “On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle” stated that most OBD II aftermarket devices have significant security flaws, or no security at all. Many of these devices simply pass any serial data from a radio interface (Bluetooth, WiFi or cellular) to the OBD II port and from there to the vehicle’s controller area network system. (CAN bus) If the data is not sanitized, an attacker who controls the device could send arbitrary commands to the car’s brakes, steering, accelerator and other important safety components.
Bottom line for vehicle owners: picking an OBD II port-based solution today carries new risks. Besides having to navigate the rapidly changing arena of aftermarket players and solutions, the potential safety risks and liabilities also need to be considered. As always, be careful and be aware!