Cyber Security and CAN bus wifi/bluetooth devices (ELM327 etc)

Discussion in 'Gen 4 Prius Technical Discussion' started by PoorPeatree, Feb 12, 2017.

  1. PoorPeatree

    PoorPeatree New Member

    Joined:
    Feb 12, 2017
    6
    9
    0
    Location:
    Alabama
    Vehicle:
    2016 Prius
    Model:
    Two
    Hello all,

    I've recently spoken to a cyber security friend of mine. It appears there are security risks with using a wifi or bluetooth enabled OBD II adapter. I recommend you consider switching to a cable attached version, if you live in a densely populated city or large town. Apparently, it wouldn't be too difficult to engage or disengage critical systems like brakes. I would say the nature of this attack vector and the security of the ECU makes it uncommon. Most drivers are not using always-on wifi OBD II adapters, so most malicious attacks will come from other vectors.

    If any of you know someone with an alternate opinion based on his/her personal experience with CAN bus ECUs in modern autos, please let me know!
     
  2. Elektroingenieur

    Elektroingenieur Senior Member

    Joined:
    Jan 8, 2017
    1,637
    2,213
    9
    Location:
    California
    Vehicle:
    2016 Prius
    Model:
    Three Touring
    This is reasonable advice. The risk is greatest for devices that are always plugged in, have their own cellular or other connections to the Internet, or both; a short-range Bluetooth device connected briefly by a technician is probably less of a concern, unless your vehicle is being targeted specifically.

    There have already been vulnerabilities found in OBD II plug-in devices, like the one used with Metromile pay-per-mile auto insurance, about which CERT/CC issued Vulnerability Note VU#209512, “Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities.”

    I haven’t seen anything about this issue in a Toyota owner’s manual, but for one of their late-model cars, General Motors writes:

    ⚠ Warning

    The Data Link Connector (DLC) is used for vehicle service and Emission Inspection/Maintenance testing. […] A device connected to the DLC — such as an aftermarket fleet or driver-behavior tracking device — may interfere with vehicle systems. This could affect vehicle operation and cause a crash. Such devices may also access information stored in the vehicle’s systems.​

    In present designs, the DLC is a trusted interface, and it is generally assumed that anything attached to it is fully authorized to collect data and enable active test or utility functions, including some that could cause a collision, either directly or by surprising or distracting the driver.

    I wouldn’t put too much faith in the automakers’ cyber security measures; software to reprogram immobilizers is widely available, and somehow the chip-tuners stay in business. As I understand it, protections against improper ECU reprogramming are more effective against inadvertent corruption than determined attacks.

    It’s my policy not to have anything, with or without a wireless connection, permanently connected to the DLC on my Prius, though I do permit temporary connections for diagnostic and emissions inspection purposes. The absence of a telemetry system, with its own cellular radio, was also one of the reasons I chose the Three Touring trim level rather than the Four.
     
  3. wrprice

    wrprice Active Member

    Joined:
    Jul 11, 2005
    415
    308
    0
    Location:
    Houston, TX
    Vehicle:
    2016 Prius
    Model:
    Four Touring
    I need to go find my source, but I recall seeing a system diagram showing that the Toyota telemetry system was mostly isolated from other vehicle systems. For example, it did NOT connect to the general CAN bus, and has a separate microphone input. This was much more secure compared to some manufacturers (Ford, I think?) that shared data and audio with the infotainment system. Toyota's design wasn't 100% isolated, but the attack surface area was much smaller.

    If I find that source I'll post back with a link.
     
    SFO and RCO like this.
  4. bbald123

    bbald123 Thermodynamics Law Enforcement

    Joined:
    Nov 13, 2007
    386
    269
    0
    Location:
    Harrisburg, PA
    Vehicle:
    2016 Prius
    Model:
    Four
    Of course the safest way of all is to only have the OBDII connected when modifying car settings. Yes, I realize this interferes with the way some people consume data from the car. Being a data freak myself, I can empathize.
     
    RCO likes this.
  5. wrprice

    wrprice Active Member

    Joined:
    Jul 11, 2005
    415
    308
    0
    Location:
    Houston, TX
    Vehicle:
    2016 Prius
    Model:
    Four Touring
    Highly technical, but here are the ridiculously scary details (PDF) of how insecure the 2014 Jeep Cherokee was prior to recall/patching. It also mentions a brief comparison in one detail regarding the 2010 Prius:

    This PDF is referenced by the first one above, regarding the systems on a 2010 Prius. One hopes that Toyota improved security in Gen4, but I will assume not until I find evidence to the contrary.

    The 2014 Prius ECU and bus connections are listed and diagrammed in this PDF, around page 75 or so. It's the paper I originally thought about regarding the SafetyConnect telematics device.
     
    #5 wrprice, Feb 15, 2017
    Last edited: Feb 15, 2017
    RCO likes this.
  6. Elektroingenieur

    Elektroingenieur Senior Member

    Joined:
    Jan 8, 2017
    1,637
    2,213
    9
    Location:
    California
    Vehicle:
    2016 Prius
    Model:
    Three Touring
    That’s still true for the fourth-generation Prius: according to the Repair Manual and Electrical Wiring Diagram, there are still no multiplex bus connections (CAN, LIN, or otherwise) on the telematics transceiver.

    Some other Toyota vehicles do have such connections, however. The diagrams for the Mirai, for example, show that its telematics transceiver is on a CAN bus with the Network Gateway, EV Control, Driving Support, Skid Control, and other ECUs. Interestingly, the connector is the same as the one on the Prius, just with two more pins wired for the CAN bus lines. The same telematics transceiver is used on many other Toyota and Lexus cars, so I don’t think this characteristic is unique to the Mirai as a hydrogen fuel cell vehicle.
     
    SFO and RCO like this.
  7. goldfinger

    goldfinger Active Member

    Joined:
    Mar 12, 2012
    535
    392
    0
    Location:
    Buffalo
    Vehicle:
    2016 Prius
    Model:
    Three
    Most cheap Bluetooth devices have default security and pair automatically with anything. OBDLink MX has a connect button that requires physical access to enable Bluetooth pairing.
     
    pilotgrrl, wrprice and RCO like this.
  8. pilotgrrl

    pilotgrrl Senior Member

    Joined:
    Jul 23, 2017
    889
    1,789
    0
    Location:
    Chicagoan in TX
    Vehicle:
    2016 Prius
    Model:
    Three
  9. RCO

    RCO Senior Member

    Joined:
    Aug 31, 2016
    3,708
    5,156
    0
    Location:
    Cornwall
    Vehicle:
    Other Hybrid
    Model:
    N/A
    alanclarkeau, bisco, kithmo and 2 others like this.
  10. SagradaFamilia

    SagradaFamilia Junior Member

    Joined:
    Mar 18, 2010
    20
    17
    0
    Location:
    U.S.A.
    Vehicle:
    2018 Prius
    Model:
    IV
    Good Day, If I may expand the conversation slightly, this thread seems mostly focused on a Bluetooth or WiFi interface vulnerability. Recent news from the Cyber Wire podcast alerts me to the regular identification of apps on the Google Play Store that are corrupted with malware. (They are properly identified and removed regularly by Google but others are also regularly introduced posing as known apps.) I guess I have a concern that involves the execution of an app that opens doors (cyber not physical) which would leave me vulnerable to ..... (your most frightening thought here.)
    Please understand I have no knowledge of a threat or even a rumor of a threat. I'm just performing due diligence BEFORE connecting and employing an app.
    Thanks,
    Marty
     
    pilotgrrl and RCO like this.
  11. SagradaFamilia

    SagradaFamilia Junior Member

    Joined:
    Mar 18, 2010
    20
    17
    0
    Location:
    U.S.A.
    Vehicle:
    2018 Prius
    Model:
    IV
    A Follow up with some news. But first I'd like to repeat that I don't have any knowledge of or even a rumor of an issue. I'm just cautious and curious. Also I should state that I have no affiliation what so ever with Carista except that I've now purchased a unit and received the response below from the questions I'd presented to their Customer Service. The content of that response is being provided here with their permission.

    " Dear Marty .....
    Thanks for writing and I'll be happy to respond to your concerns. We do take both privacy and security seriously.

    1. You are correct: if you leave the adapter plugged in, someone could walk by and connect to it. In most cases, your car's modules are in sleep mode when the car is locked, so the attacker would probably not be able to do anything, but who knows... So we always advise users to unplug the adapter when they're not using it. Sounds like you're already planning to do that.

    2. The app that we upload to Google Play Store is compiled by us from our own source code and signed by us, so it shouldn't be possible for it to get corrupted on the way. If you have the real Google Play Store, then all apps you download should be trustworthily signed by their developers. Of course, if you don't trust the developer, that's a different story (and Google has some automated tests to find malware to address those cases).

    3. I'll attempt to summarize the type of data that's sent to us by the app: The app sends anonymized data about the actions users perform in it. All of this data is aggregated and not personally-identifiable (it's collected through Google Analytics) and we can get information like "today, 3214 users opened the app and pressed the CUSTOMIZE button". In addition, you have the option to manually send us a report (log) from the app if you choose to do so, in which case you'd enter your email address and we'd see a log of your actions in the app and communication with the car. This kind of report may also be automatically sent to us (in anonymous form, without an email address) if the app were to crash or fall into other situations that we use for quality assurance and bug fixes. In certain cases, from certain communication with the car that's contained in those logs, it may be possible to infer the VIN of the car. That's about it. For full details, you're certainly more than welcome to read our Terms of Use and Privacy Policy.

    Please let me know if this addresses your concerns. I'd also be happy to answer any further questions you might have.
    Regards,
    Todor Kalaydjiev
    Carista "
     
    RCO likes this.