Cyber Security and CAN bus wifi/bluetooth devices (ELM327 etc)

This is reasonable advice. The risk is greatest for devices that are always plugged in, have their own cellular or other connections to the Internet, or both; a short-range Bluetooth device connected briefly by a technician is probably less of a concern, unless your vehicle is being targeted specifically.

There have already been vulnerabilities found in OBD II plug-in devices, like the one used with Metromile pay-per-mile auto insurance, about which CERT/CC issued Vulnerability Note VU#209512, “Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities.”

I haven’t seen anything about this issue in a Toyota owner’s manual, but for one of their late-model cars, General Motors writes:

⚠ Warning

The Data Link Connector (DLC) is used for vehicle service and Emission Inspection/Maintenance testing. […] A device connected to the DLC — such as an aftermarket fleet or driver-behavior tracking device — may interfere with vehicle systems. This could affect vehicle operation and cause a crash. Such devices may also access information stored in the vehicle’s systems.​

In present designs, the DLC is a trusted interface, and it is generally assumed that anything attached to it is fully authorized to collect data and enable active test or utility functions, including some that could cause a collision, either directly or by surprising or distracting the driver.

I wouldn’t put too much faith in the automakers’ cyber security measures; software to reprogram immobilizers is widely available, and somehow the chip-tuners stay in business. As I understand it, protections against improper ECU reprogramming are more effective against inadvertent corruption than determined attacks.

It’s my policy not to have anything, with or without a wireless connection, permanently connected to the DLC on my Prius, though I do permit temporary connections for diagnostic and emissions inspection purposes. The absence of a telemetry system, with its own cellular radio, was also one of the reasons I chose the Three Touring trim level rather than the Four.

 

I need to go find my source, but I recall seeing a system diagram showing that the Toyota telemetry system was mostly isolated from other vehicle systems. For example, it did NOT connect to the general CAN bus, and has a separate microphone input. This was much more secure compared to some manufacturers (Ford, I think?) that shared data and audio with the infotainment system. Toyota's design wasn't 100% isolated, but the attack surface area was much smaller.

If I find that source I'll post back with a link.

 

Of course the safest way of all is to only have the OBDII connected when modifying car settings. Yes, I realize this interferes with the way some people consume data from the car. Being a data freak myself, I can empathize.

 

Highly technical, but here are the ridiculously scary details (PDF) of how insecure the 2014 Jeep Cherokee was prior to recall/patching. It also mentions a brief comparison in one detail regarding the 2010 Prius:

This PDF is referenced by the first one above, regarding the systems on a 2010 Prius. One hopes that Toyota improved security in Gen4, but I will assume not until I find evidence to the contrary.

The 2014 Prius ECU and bus connections are listed and diagrammed in this PDF, around page 75 or so. It's the paper I originally thought about regarding the SafetyConnect telematics device.

 

That’s still true for the fourth-generation Prius: according to the Repair Manual and Electrical Wiring Diagram, there are still no multiplex bus connections (CAN, LIN, or otherwise) on the telematics transceiver.

Some other Toyota vehicles do have such connections, however. The diagrams for the Mirai, for example, show that its telematics transceiver is on a CAN bus with the Network Gateway, EV Control, Driving Support, Skid Control, and other ECUs. Interestingly, the connector is the same as the one on the Prius, just with two more pins wired for the CAN bus lines. The same telematics transceiver is used on many other Toyota and Lexus cars, so I don’t think this characteristic is unique to the Mirai as a hydrogen fuel cell vehicle.

 

Most cheap Bluetooth devices have default security and pair automatically with anything. OBDLink MX has a connect button that requires physical access to enable Bluetooth pairing.

 

Billions of devices imperiled by new clickless Bluetooth attack | Ars Technica

More fun with Bluetooth vulns!

Posted via the PriusChat mobile app.

 

Seems like there are new and better/worse vulnerabilities every day. My wife has already found all mine: I'm still searching for hers.

 

Good Day, If I may expand the conversation slightly, this thread seems mostly focused on a Bluetooth or WiFi interface vulnerability. Recent news from the Cyber Wire podcast alerts me to the regular identification of apps on the Google Play Store that are corrupted with malware. (They are properly identified and removed regularly by Google but others are also regularly introduced posing as known apps.) I guess I have a concern that involves the execution of an app that opens doors (cyber not physical) which would leave me vulnerable to ..... (your most frightening thought here.)
Please understand I have no knowledge of a threat or even a rumor of a threat. I'm just performing due diligence BEFORE connecting and employing an app.
Thanks,
Marty

 

A Follow up with some news. But first I'd like to repeat that I don't have any knowledge of or even a rumor of an issue. I'm just cautious and curious. Also I should state that I have no affiliation what so ever with Carista except that I've now purchased a unit and received the response below from the questions I'd presented to their Customer Service. The content of that response is being provided here with their permission.

" Dear Marty .....
Thanks for writing and I'll be happy to respond to your concerns. We do take both privacy and security seriously.

1. You are correct: if you leave the adapter plugged in, someone could walk by and connect to it. In most cases, your car's modules are in sleep mode when the car is locked, so the attacker would probably not be able to do anything, but who knows... So we always advise users to unplug the adapter when they're not using it. Sounds like you're already planning to do that.

2. The app that we upload to Google Play Store is compiled by us from our own source code and signed by us, so it shouldn't be possible for it to get corrupted on the way. If you have the real Google Play Store, then all apps you download should be trustworthily signed by their developers. Of course, if you don't trust the developer, that's a different story (and Google has some automated tests to find malware to address those cases).

3. I'll attempt to summarize the type of data that's sent to us by the app: The app sends anonymized data about the actions users perform in it. All of this data is aggregated and not personally-identifiable (it's collected through Google Analytics) and we can get information like "today, 3214 users opened the app and pressed the CUSTOMIZE button". In addition, you have the option to manually send us a report (log) from the app if you choose to do so, in which case you'd enter your email address and we'd see a log of your actions in the app and communication with the car. This kind of report may also be automatically sent to us (in anonymous form, without an email address) if the app were to crash or fall into other situations that we use for quality assurance and bug fixes. In certain cases, from certain communication with the car that's contained in those logs, it may be possible to infer the VIN of the car. That's about it. For full details, you're certainly more than welcome to read our Terms of Use and Privacy Policy.

Please let me know if this addresses your concerns. I'd also be happy to answer any further questions you might have.
Regards,
Todor Kalaydjiev
Carista "