OVER THE LAST summer, the security research community has proven like never before that cars are vulnerable to hackers—via cellular Internet connections, intercepted smartphone signals, and even insurance dongles plugged into dashboards. Now an automotive security researcher is calling attention to yet another potential inroad to a car’s sensitive digital guts: the auto dealerships that sell and maintain those systems.
At the Derbycon hacker conference in Louisville, Kentucky last week, security consultant Craig Smith presented a tool designed to find security vulnerabilities in equipment that’s used by mechanics and dealerships to update car software and run vehicle diagnostics, and sold by companies like Snap-On and Bosch. Smith’s invention, built with around $20 of hardware and free software that he’s released on GitHub, is designed to seek out—and hopefully help fix—bugs in those dealership tools that could transform them into a devious method of hacking thousands of vehicles.
If a hacker were to bring in a malware-harboring car for service, the vehicle could spread that infection to a dealership’s testing equipment, which in turn would spread the malware to every vehicle the dealership services, kicking off an epidemic of nasty code capable of attacking critical driving systems like transmission and brakes, Smith said in his Derbycon talk. He called that car-hacking nightmare scenario an “auto brothel.”
“Once you compromise a dealership, you’d have a lot of control,” says Smith, who founded the open source car hacking group Open Garages, and wrote the Car Hacker’s Handbook. “You could create a malicious car…The worst case would be a virus-like system where a car pulls in, infects the dealership, and the dealership then spreads that infection to all the other cars.”
The tool Smith created simulates that kind of attack by acting like a malware-carrying car. Primarily, it’s a testing device; a way to see what kind of malicious code would need to be installed on a car to infect any diagnostic tools plugged into it. Smith’s device is built from a pair of the OBD2 or On-board Diagnostic ports, the kind that typically appear under a car’s dashboard to offer mechanics an entry point to the CAN network that controls a vehicle’s physical components. It also uses a resistor and some wiring to simulate a car’s internal network and a 12-volt power source. All of that is designed to impersonate a car when a dealership’s diagnostic tool is plugged into one of the OBD2 ports. The second OBD2 port is used to connect the device to a PC running Smith’s vulnerability scanning software. Smith calls his easily replicated hardware setup the ODB-GW, or Ol’ Dirty Bastard Gateway, a play on a common misspelling of OBD and an homage to the late member of the Wu Tang Clan.