OBD II a Security Threat Vector?

spp

Member
First Name
Shawn
Joined
Feb 1, 2021
Threads
0
Messages
20
Reaction score
29
Location
Michigan, USA
Vehicles
Jeep Cherokee, Pacifica PHEV
Occupation
Sr. Solution Architect
Country flag
Jimrpa said:
I’m not talking about an attack against Ford. For example, one potential attack I was proposing was malevolent to a “botnet” attack. A malicious actor loads malicious software (say, via a really cool “free” OBD II scanner on the Google Android store) through the OBD II port to autos where it sits quietly. It then just sits quietly in different EVs, including the Mustang Mach E, until it’s triggered. We’ve already seen these attacks happen on platforms in other industries so this is NOT “hypothetical”. Do you want to hop in your Mustang Mach E one morning to be greeted by a screen demanding X BitCoin to be sent to some silly URL before your $60,000 brick moves?
Click to expand...
I would be very surprised if Ford didn't require signed firmware for the ECUs and a few levels of authentication between the device and ECU before allowing a firmware upload. At best, I can see the OBD port being disabled for spewing garbage on the network, at worst, I can see the vehicle shutting down because of said garbage.
Sponsored

 

spp

Member
First Name
Shawn
Joined
Feb 1, 2021
Threads
0
Messages
20
Reaction score
29
Location
Michigan, USA
Vehicles
Jeep Cherokee, Pacifica PHEV
Occupation
Sr. Solution Architect
Country flag
Jimrpa said:
Does the presence of an accessible OBD II port pose a greater security threat on a heavily software driven car, like the Mustang Mach E, than a conventional car? What steps are taken to prevent a malevolent actor from using the OBD II port to inject malicious software? Or use the OBD II port to extract private information (such as driving history)?
I seem to recall I video not long ago, where some people demonstrated a proof of concept where they were able to take over control of steering acceleration and braking of a conventional car remotely. I’m hoping that Ford has tightly locked everything down so only authorized users can get into the car systems.
Click to expand...
This was us and a Jeep Cherokee. This was way back when connected vehicles were in their infancy and group that didn't deal with computer security on a regular basis designed and built the connected vehicle system and forgot to lock the system down. I can go into details as the hack has been pretty thoroughly documented on the internet and at industry conferences.

That day was a wakeup call and the way we (and the industry) does business completely changed.
 
OP
OP
Jimrpa

Jimrpa

Well-Known Member
First Name
Jim
Joined
Sep 10, 2020
Threads
297
Messages
9,514
Reaction score
12,847
Location
Wayne, PA
Vehicles
2021 Infinite Blue Premium Mustang Mach E ER AWD
Occupation
Retied (formerly tried to herd highly technical, independent cats)
Country flag
spp said:
This was us and a Jeep Cherokee. This was way back when connected vehicles were in their infancy and group that didn't deal with computer security on a regular basis designed and built the connected vehicle system and forgot to lock the system down. I can go into details as the hack has been pretty thoroughly documented on the internet and at industry conferences.

That day was a wakeup call and the way we (and the industry) does business completely changed.
Click to expand...
Thanks for sharing the real-world insight! I know people must think I run around with a tinfoil hat - I don’t, but I work in a very security conscious organization ?
Sponsored

 
You must log in or register to reply here.

Similar threads

Any Android 13 PAAK Users With A BTLE OBD II Dongle?
Replies
0
Views
641
babgvant
babgvant
Success with Android, ABRP and Car Scanner with VEEPeak OBDCheck BLE OBD II Scan Tool
Replies
0
Views
3,631
mayhillman
mayhillman
PAAK II
2
Replies
27
Views
1,634
RSH
RSH
Calling all Security Minded Geeks ?
Replies
9
Views
1,451
sockmeister
sockmeister
A better route planner (ABRP) and OBD connection
Replies
4
Views
6,038
B177y
B177y
 







Top