In our previous post OBD-trackers – how big is the danger? we have argued that OBD trackers, that are connected directly to CANbus of the vehicle, can be dangerous. Some readers commented that the whole topic is a scaremongering and danger is not so big, if even real. And after all, none of this ever happened to date. But it is either a wishful thinking or like arguing that patient never died before, so guess what – he will live forever.

So we stand firmly behind my argument – and want to bring some real-life evidence.

First, let’s recap what it is it all about – we said that OBD trackers are dangerous from 2 major standpoints:

  • either internal failure might cause disruption on the network – main reason why service companies are not happy when regular GPS tracker is connected directly to the CANbus,
  • or intentional interference from outside – simply put – hacking attack.

Why hacking is not merely about stealing your data, but about causing real and imminent danger? Many telematics devices, installed in a car, have a possibility of remote firmware update. It is necessary to adjust what device can do on different vehicles, adjust to specific modifications of the car without the need of physically sending a technician there; it is just so much easier to work with.

So what we have as a result?

A device, that is connected to the internet with 2-way communication, a possibility of changing the firmware remotely, and direct, unobstructed connectivity to the very brains of the vehicle – CANbus network.

Let’s just have a look on one example – in 2015 Wired performed a test with a connected car – Jeep.

It was hacked by 2 car security enthusiasts via in-built infotainment system. They were able to switch on/off air conditioning, a volume of music and windshield wipers and windshield water dispensers, which is annoying enough (just have a look on the video below), but more importantly – they switched off the brakes and engine while the vehicle was driving on a highway – remotely.

So what happened there? An infotainment system is in a way very similar to a modern tracking device – it has internet connectivity, connectivity to CANbus and can be reprogrammed. If a standard device is connected to CANbus – 100% sure it can send messages to the network.

“Hackers” in this example first needed to break into the system itself, and it is probably not the easiest job – it is part of the professionally assembled car! And even then, access was gained. Now to mass-market OBD trackers – are they putting enough effort in protecting devices? And even then – with enough determination, it is possible.

Obviously, some cars are easier to hack than other, some will require sophisticated hacking techniques. But it is not hard to imagine – a GPS tracking company gets hacked, along with its database of vehicles, with their locations, current speeds, and also- access codes to firmware updates.

So, let’s say, a company has 100 000 connected cars with several models of OBD trackers. These models are freely available for purchase, that means they can be studied in advance. Hackers study just one model and now know how to send specific messages to CANbus. Then there are different cars with this particular device, but some of them have known vulnerabilities, or their “language” is open source – those are the first targets right from the spot.

Hackers would focus on this model, and send disruptive commands. Or send dozens, hundreds of commands to all vehicles and hope some models will react – brute-force approach is not the worst option to do some damage. Just send to everyone – some will definitely fall. Just like in “good old” computer hacking – some will definitely fall.

And lets all really hope they would just switch the radio to some awful music…

Just to be clear – we am not advertising or campaigning for a total ban on connected cars and additional internet-powered devices for automotive industry. Benefits are really and truly enormous. In the end – it is the business we am directly involved at! But we must be very careful with the security of real things, that CAN kill us, directed by people, willing and able to do so. We should press manufacturers to think about and work on this topic more.

Honestly, really don’t want to find ourselves on German autobahn at 200km/h with switched off brakes because car was influenced from outside! That why we need some kind of a physical firewall for connected cars – we will look into such possibility in next posts.