1. Attachments are working again! Check out this thread for more details and to report any other bugs.

Security of ELM 327 Bluetooth Module

Discussion in 'Gen 3 Prius Technical Discussion' started by zm15, Apr 9, 2012.

  1. zm15

    zm15 Junior Member

    Joined:
    Sep 15, 2009
    73
    7
    0
    Location:
    USA
    Vehicle:
    2010 Prius
    Model:
    III
    I'm looking at getting a ELM 327 bluetooth module to use with the Torque app and my android phone.

    The access code for the bluetooth adapter is '1234', which anyone can guess, and potentially enter OBD codes and whatnot.

    I'm not worried about it while i'm moving, but is there any danger leaving it plugged in while the car is off? i.e. parking it at work...
     
  2. KK6PD

    KK6PD _ . _ . / _ _ . _

    Joined:
    Mar 24, 2008
    4,003
    944
    118
    Location:
    Los Angeles Foothills
    Vehicle:
    Other Hybrid
    Model:
    N/A
    How can I put this simply, um, well, NO! First what's going to happen to a car that is off, parked. It will not remotely unlock doors, start up, drive away. About the only thing that might happen, if you don't drive for an extended period of time, it will help drain the +12 volt battery, that's all!
     
  3. zm15

    zm15 Junior Member

    Joined:
    Sep 15, 2009
    73
    7
    0
    Location:
    USA
    Vehicle:
    2010 Prius
    Model:
    III
    Lol, wasn't sure if codes could still be inputted while the car was off. The device has a single red light on (showing power to the adapter), even when the car is off, so didn't know if the unit could receive commands, etc....
     
  4. RobH

    RobH Senior Member

    Joined:
    Sep 18, 2006
    2,369
    978
    70
    Location:
    Sunnyvale, California
    Vehicle:
    2006 Prius
    Most of the computers in the car are turned OFF when the car is turned OFF. The computer that talks to the keyfobs is enabled all the time. The dealer scantool (Techstream) can be used to reset the keyfobs while the car is turned OFF, but this requires access to a security code. Adding keyfobs requires that they be inside the car, and I think the driver's door has to be open as well.

    So the main reason that there isn't a problem is that most of the computers are turned OFF and therefore couldn't be changed. The one system that could even be communicated with is protected by requiring the door to be open, as well as the security controls on doing anything with the keyfobs.

    There could be a problem with draining the 12V battery if the ELM draws too much power even when the car is turned OFF. It's not much, but several weeks of leaving the ELM device attached while the car is not used might be a problem.
     
  5. RobH

    RobH Senior Member

    Joined:
    Sep 18, 2006
    2,369
    978
    70
    Location:
    Sunnyvale, California
    Vehicle:
    2006 Prius
    On second thought, the Gen2 has a function for unlocking the trunk via a scantool. Except an ELM can't talk to that computer (it's on the KWP bus, not the CAN bus). If there is a similar function on a GEN3, then maybe there is an exposure. So MAYBE a custom program that emulates the Techstream scantool could pop the trunk of a turned OFF Gen3. Picking the mechanical lock would be a lot easier...
     
  6. zm15

    zm15 Junior Member

    Joined:
    Sep 15, 2009
    73
    7
    0
    Location:
    USA
    Vehicle:
    2010 Prius
    Model:
    III
    I can now confirm that while the car is off, and a Bluetooth ELM 327 adapter is plugged in, I cannot connect to it via Torque. It just cycles through trying to communicate with it.
     
  7. KK6PD

    KK6PD _ . _ . / _ _ . _

    Joined:
    Mar 24, 2008
    4,003
    944
    118
    Location:
    Los Angeles Foothills
    Vehicle:
    Other Hybrid
    Model:
    N/A
    I guess we can put this thread to rest! :p
     
  8. David Beale

    David Beale Senior Member

    Joined:
    Jul 24, 2006
    5,963
    1,979
    0
    Location:
    Edmonton Alberta
    Vehicle:
    2012 Prius
    To put a final nail in its' coffin, please show me a thief who would try all the technical requirements to get in when a simple automatic centre punch will break the glass allowing entry in a few seconds. ;)
     
    WE0H likes this.
  9. szgabor

    szgabor Active Member

    Joined:
    Jul 29, 2009
    993
    175
    0
    Location:
    Oceanside NY
    Vehicle:
    2012 Prius
    Model:
    Two

    Short answer is No. OBD port is powered off about 10-30 sec after the car is turned off . So unless your car is left on the dungle is dead (no power on the OBD port so no way to transmit/receive over bluetooth) not sure what else can OBD port do passively but no connection via blue-tooth ... for sure
     
  10. KK6PD

    KK6PD _ . _ . / _ _ . _

    Joined:
    Mar 24, 2008
    4,003
    944
    118
    Location:
    Los Angeles Foothills
    Vehicle:
    Other Hybrid
    Model:
    N/A
    Unfortunately, that is incorrect in a Gen II Prius! I have the PLX Bluetooth unit, and Scan Gauge that are on 24/7 when plugged into my OBDII port! That little source of excess current drain on the 12 volt battery will be taken care of with a simple ON/OFF switch on pin 16 of the OBDII adapter cable I am using!
     
  11. szgabor

    szgabor Active Member

    Joined:
    Jul 29, 2009
    993
    175
    0
    Location:
    Oceanside NY
    Vehicle:
    2012 Prius
    Model:
    Two

    That maybe the case on the GenII but NO power ... on the OBD2 power pins after about 30 sec in the GEN 3 ...

    So your ScanGauge is staying ON after you turned off the car ??? showing what ???

    I had my ScanGauge plugged in left the car over 2 weeks unused (traveling) no real issue .. (car is close to 3 years old one of the first Gen 3 bought in July 2009 !!) so there is no drain by the scangauge and there is no power on the OBD2 port ...
     
  12. macman408

    macman408 Electron Guidance Counselor

    Joined:
    Mar 21, 2010
    1,179
    365
    1
    Location:
    California
    Vehicle:
    2010 Prius
    Model:
    V
    I'm pretty sure KK6PD is right; I've programmed Xgauges several times while the car is off, IIRC. The Scangauge will turn off a few seconds after the car is off, but power is still available.

    The first week or two after I got the Scangauge, my battery died while the car was sitting idle for a week. I theorize that the Scangauge may have been powered on this whole time, as I might've fiddled with it or something, and it decided to not go into its sleep mode.
     
  13. RobH

    RobH Senior Member

    Joined:
    Sep 18, 2006
    2,369
    978
    70
    Location:
    Sunnyvale, California
    Vehicle:
    2006 Prius
    The Scangauge has logic to detect when the car is turned ON or OFF. The default setup apparently looks at engine RPM, and turns itself OFF when the engine hasn't been running for something like 30 seconds. When used with a Prius, the Scangauge has to be set up for a hybrid, as zero RPM is a normal occurance.

    The ELM has no such logic. If the 12V is available, then it's ON. A genuine ELM 327 version 1.4 has a low power mode available, but commands have to be issued to take advantage of it. It's anybody's guess if the far more common clone "ELMs" actually have the low power mode.

    So it would appear that a properly configured Scangauge has a minimal power drain when the car is turned OFF.

    An ELM plugged into a Gen2 probably consumes full power all the time.

    An ELM plugged into a Gen3 gets turned OFF when the car is OFF.
     
  14. FrankTiger

    FrankTiger Member

    Joined:
    May 26, 2010
    63
    118
    0
    Location:
    Madrid, Spain
    Vehicle:
    2010 Prius
    Model:
    V
    Hi everyone :rapture:

    I have a ELM327 bluetooth which identifies himself as v1.5 so probably is emulated by a microprocessor.

    I made my own datalogger with a WM6.1 smartphone linked to the ELM327 which stays all the time connected to my 2010 Prius OBD port. When I switch off the car, all the PIDS get a "NO DATA" answer, however the ELM327 answers with a OK to the AT commands, which means it is powered by the OBD port.

    But the most interested thing is that the ELM327 ATMA command, that monitors the CAN bus, shows traffic with the car off and doors locked in the following IDs: 610 611 620 621 622 624 626 630 638 639 and also with 63B which contains a time sequence. The traffic lasts 4 seconds at a rate of about 20messages/second when the ATMA command is sent to the ELM327, and after the 4 seconds the CAN bus silences.

    When I walk and approach the car (system off, doors locked) and the fob key is within the detection range, the CAN Bus traffic starts again with always the same 4 messages in IDs: 611 620 (twice) and 626.

    When I touch the door handle, the CAN Bus traffic notices it, and after some one hundred messages, the CAN Bus silences again.

    It looks that my ELM327 behaves differently from RobH guess.

    Big hugs from Frank
     
    1 person likes this.
  15. RobH

    RobH Senior Member

    Joined:
    Sep 18, 2006
    2,369
    978
    70
    Location:
    Sunnyvale, California
    Vehicle:
    2006 Prius
    I think the diagnostic port keeps power for a short time after the car is turned OFF. Maybe it's the timer that allows you to operate the windows immediately after turnoff.

    It would be interesting to put a voltmeter on the diagnostic port power line. My guess is that stays ON for about 30 seconds after power OFF, but then turns OFF. If the keyfob is detected (or, more specifically, the interior light turns ON), then diagnostic port power will come up again.

    Just guesses since I don't have regular access to a 2010...
     
  16. vincent1449p

    vincent1449p Active Member

    Joined:
    May 24, 2004
    894
    331
    0
    Location:
    Singapore
    Vehicle:
    2012 Prius c
    According to the 2010 EWD, DLC3 pin16 is connected to an OBD 7.5A fuse then to the 140A Main fuse to the Aux. Battery. So pin16 is always hot as there are no relay or control circuit to disconnect it from the Aux. Battery.

    Since most of the scantools take their power from pin16, they are always power on whenever they are plugged into the DLC3 connector. Some scantools can switch to low power mode or sleep mode if there are no activities on the bus or the scantools are not requesting info. from the ECUs. These scantools can wake up from sleep mode if it detected activities on the bus or there are commands from the computer e.g. ELM or a HOME button is pressed, e.g. SGII. Some scantools have an additional on/off switch, e.g. PLX Kiwi BT, to switch it off.

    Vincent
     

    Attached Files:

  17. szgabor

    szgabor Active Member

    Joined:
    Jul 29, 2009
    993
    175
    0
    Location:
    Oceanside NY
    Vehicle:
    2012 Prius
    Model:
    Two
    I can confirm this behaviour..

    I was totally sure that no power after a very short period of time .... when I open the door scangauge comes to life even if the car is still turned off and goes away again about the same delay as when you turn the car off clearly SKS is powered and "some" of the car computer regulates this ScanGauge cannot really know !!!

    But will check with a voltmeter later .... I want to know for sure...
     
  18. szgabor

    szgabor Active Member

    Joined:
    Jul 29, 2009
    993
    175
    0
    Location:
    Oceanside NY
    Vehicle:
    2012 Prius
    Model:
    Two
    I have to correct myself .. not sure where I read that OBD port is powered off ...


    But five minutes ago I finished the test with the voltmeter.

    I connected the multimeter and waited for over 5 minutes and YES the 12.78-12.81V (good for my battery) Battery voltage is there ...

    So ScanGauge shuts down using something other than the pin 16 to decide the car is off !!!

    Sorry if I mislead someone ....

    Cheers.....
     
  19. macman408

    macman408 Electron Guidance Counselor

    Joined:
    Mar 21, 2010
    1,179
    365
    1
    Location:
    California
    Vehicle:
    2010 Prius
    Model:
    V
    RobH tried this on my car at the NorCal meet today, here's what we found (his laptop with Techstream plugged into my car while on, then I turned my car off):

    First, the driver's door can be unlocked with Techstream, but has some security features. Namely, if the doors were locked with either the fob or the touch sensor, it will not unlock the doors via computer. However, if the doors are locked manually or by using the buttons on the armrest, the computer will unlock them. So for the driver's door, that seems like pretty reasonable security, given that most people will lock their car while leaving it (unless you prefer to not use the smart key).

    However, the hatch release has no such security; it can be opened any time. If nobody is pulling up on it, it won't pop open, and will catch on the second latch, but as long as somebody is pulling it, it opens all the way.

    That said, a thief would have to:
    1. Identify that you have bluetooth connected to the CAN bus.
    2. Have a device capable of connecting to it.
    3. Break the security on whatever pairing mechanism it uses.
    4. Figure out the exact commands to send.
    5. Look reasonably suspicious around your vehicle for a minute or two while doing this.

    On the other hand, they could just wait nearby until bystanders leave the area and bust out a window in approximately 2 seconds, which is far more likely. In fact, it's probably nicer if the thief uses the Bluetooth way to hack in, as it leaves your windows intact. I have many friends who have had their cars broken into, and usually the window is the biggest cost ($200 or so, plus a $50 repair manual, one old tennis shoe, and a couple other worthless items, for one such friend). Theft from a car is typically a crime of opportunity, and is not premeditated enough to break in via a Bluetooth module on the CAN bus.
     
  20. vincent1449p

    vincent1449p Active Member

    Joined:
    May 24, 2004
    894
    331
    0
    Location:
    Singapore
    Vehicle:
    2012 Prius c
    I think Techstream can only connect when your car is on. Have you tried connecting TS with the car off in the 1st place?

    Vincent