OBD II a Security Threat Vector?

[Jimrpa]

Does the presence of an accessible OBD II port pose a greater security threat on a heavily software driven car, like the Mustang Mach E, than a conventional car? What steps are taken to prevent a malevolent actor from using the OBD II port to inject malicious software? Or use the OBD II port to extract private information (such as driving history)?
I seem to recall I video not long ago, where some people demonstrated a proof of concept where they were able to take over control of steering acceleration and braking of a conventional car remotely. I’m hoping that Ford has tightly locked everything down so only authorized users can get into the car systems.

Sponsored

 

[ChasingCoral]

You do realize the OBD II port is a physical port, so it requires a device to be physically plugged into it? Wouldn't that nefarious soul just steal the car instead?

While car hacking is possible it is still extremely rare and likely to stay that way. Police reports show almost car theft is by

• Thieves checking to see if cars were left unlocked
• Slim jims and similar tools
• Breaking windows

Unless you are a particularly high-value target that will attract sophisticated hackers, your odds of having your car hacked are probably lower than winning the Mega Millions Lottery.

 

[Jimrpa]

You do realize the OBD II port is a physical port, so it requires a device to be physically plugged into it? Wouldn't that nefarious soul just steal the car instead?

While car hacking is possible it is still extremely rare and likely to stay that way. Police reports show almost car theft is by

• Thieves checking to see if cars were left unlocked
• Slim jims and similar tools
• Breaking windows

Unless you are a particularly high-value target that will attract sophisticated hackers, your odds of having your car hacked are probably lower than winning the Mega Millions Lottery.

I do realize it depends on access.
I’m also thinking about potential intent. Not all malevolent actors want to steal things. They may want to do other things - say, for example, some kind of zero-day exploit? Brick hundreds, if not thousands of electric or partly autonomous cars at rush hour?

 

[macchiaz-o]

I do realize it depends on access.
I’m also thinking about potential intent. Not all malevolent actors want to steal things. They may want to do other things - say, for example, some kind of zero-day exploit? Brick hundreds, if not thousands of electric or partly autonomous cars at rush hour?

Inserting a bad actor device into the OBD-II ports of hundreds, if not thousands of vehicles to stop them all at once????

Seems like a scheme like this would have to infiltrate through one of those insurance or state driven GPS tracker adapters. I guess don't sign up for one of those if you are concerned about it?

 

[ChasingCoral]

I do realize it depends on access.
I’m also thinking about potential intent. Not all malevolent actors want to steal things. They may want to do other things - say, for example, some kind of zero-day exploit? Brick hundreds, if not thousands of electric or partly autonomous cars at rush hour?

If you were going to do that, the last thing you would want your plan to require is installing a detectable physical device inside a hundreds to thousands of cars.

Sorry, I don't buy into conspiracy theories.

 

[Jimrpa]

Inserting a bad actor device into the OBD-II ports of hundreds, if not thousands of vehicles to stop them all at once????

Seems like a scheme like this would have to infiltrate through one of those insurance or state driven GPS tracker adapters. I guess don't sign up for one of those if you are concerned about it?

I work for an organization that purchases USB port locks to protect against a threat similar to this. That’s why I began to think about it.

 

[ab13]

Don't all cars have accessible ODB ports?

 

[ChasingCoral]

Don't all cars have accessible ODB ports?

Yes.

 

[ChasingCoral]

I work for an organization that purchases USB port locks to protect against a threat similar to this. That’s why I began to think about it.

How often do computer users put jump drives in their USB ports?
How often do drivers put devices in their ODB ports?
It's just not the same scale of problem.

 

[JamieGeek]

How often do computer users put jump drives in their USB ports?
How often do drivers put devices in their ODB ports?
It's just not the same scale of problem.

The OBD II port connector is rated for about 10 insertions and removals. Since one is in every car the OEM's try to make it as least expensive as possible by the low rating.

For the life of most cars I bet that is about how many times its used.

 

[ChasingCoral]

The OBD II port connector is rated for about 10 insertions and removals. Since one is in every car the OEM's try to make it as least expensive as possible by the low rating.

For the life of most cars I bet that is about how many times its used.

Only 10? Wow.
I’m sure my truck is well over that. 2003 pickup. It has been used every other year since 2005 for MD emissions inspection. Many of those were doubled as I had an Allstate device that would be unplugged and plugged back in by the emissions folks to plug and unplug their device. Then there has been each diagnostic at the repair shop.

 

[SnBGC]

Only 10? Wow.
I’m sure my truck is well over that. 2003 pickup. It has been used every other year since 2005 for MD emissions inspection. Many of those were doubled as I had an Allstate device that would be unplugged and plugged back in by the emissions folks to plug and unplug their device. Then there has been each diagnostic at the repair shop.

I am even worse than that with my Super Duty trucks. I've probably connected my scan tool to it several hundred times. But then again I've also added circuit boards, additional calibrations and a rotary dial knob to switch between them on the fly.

 

[GoGoGadgetMachE]

The OBD II port connector is rated for about 10 insertions and removals. Since one is in every car the OEM's try to make it as least expensive as possible by the low rating.

For the life of most cars I bet that is about how many times its used.

hmm. Ohio, and I bet other states, now use a reader on the port for smog check stuff - they don't do a tailpipe test on OBD-II cars, they just look for unacceptable data on the OBD-II port. This means you're looking at a lifetime of 11 years for a car, which feels like it's too short?

 

[BlueMach]

Yes.

No.

Model 3/Y don't.

 

[JellyBelly]

I think if a bad actor wants to do this i guess anything is possible. But at a individual car level its going to be rare as others already said. It needs some one with with access - say a valet at hotel or while servicing or say a random break the window to insert whatever usb. At best they can control your car and you will notice it.

Now can someone use that access to gain access to Ford central to control a mass of vehicles - again possible but that means Ford is lax with their security as well.

can it happen - yes anything possible.

I think of this as home security - despite having security systems and monitoring, people try to break into homes but most are deterred by the fact that you have security and if they break in and alarm sounds they usually take off. Could someone try to hack ADT central from a home and cause mass havoc - again possible but hope ADT security at their IT infrastructure level we hope is better right. It may not be a great example but thats what came to my mind.

We could have a said lock to the port but we have to remember to take it off when go to service the vehicle and if a bad actor is waiting there for a MME - the lock wont do any good right. But probably defeats someone who thinks of breaking a window to insert a bad usb drive to the port.

Sponsored