I went out of my way to buy a vehicle with no GSM chip built in whatsoever (that's not easy in 2016). Car companies care as little about protecting their tech as they care about trying to fix USAs lovely car dealership system.
I know this post is about a dongle, but you can remove a dongle from a car at least. You can't remove the GSM chip from most new cars that's uploading your location to heaven knows where and how many people have hacked their database this week.
I knew IOT devices generally have weak security, but I didn't anticipate them so easily being connected to physically dangerous objects like cars. I wonder how common this will become.
Most of trucks in europe have gps systems which connect to CAN in order to measure driver efficiency and vehicle condition. They are also connected via cellphone network to internet (only sometimes through APN, mobile equivalent of VPN). All of them have security holes, typically much worse than this dongle, just no one cared to look at them yet.
"Drivelog Connect allows your car to speak to you. Your car directly connects with your smartphone. All the information becomes available at your fingertips."
Many of the features the app offers could be made available in the car's console/monitor.
Like: - automotive diagnostics, display of real-time driving behavior(should you really be looking at your Smartphone while driving), Logbook for recording and storage routes...
Seems to me that the main thing they could do that's cheap and easy is require a button press on the device to pair. Unfortunately that's not as simple as a firmware update.
I dunno...the dongle gives up it's certificate so that you can brute force it offline. It's an 8 digit numeric only pin. 100 million possible PINS, when you can do 100 million SHA-256 computations in 30 minutes on a typical laptop. That seems unwise.
And it allows you to send and receive any CAN bus message you want, versus just some subset of OBDII. As far as I can tell, the features don't require anything other than querying OBDII for some very small subset of data. So if the dongle only passed those request packets, and dropped everything else, it would be miles more secure. Since it appears to be a simple passthrough device, I'm not sure there's enough horsepower in the dongle to fix that with firmware.
[+] [-] kylehotchkiss|9 years ago|reply
I know this post is about a dongle, but you can remove a dongle from a car at least. You can't remove the GSM chip from most new cars that's uploading your location to heaven knows where and how many people have hacked their database this week.
[+] [-] gumby|9 years ago|reply
[+] [-] Buge|9 years ago|reply
[+] [-] yetihehe|9 years ago|reply
[+] [-] alexei_kovelman|9 years ago|reply
[+] [-] SwedishChemist|9 years ago|reply
"Drivelog Connect allows your car to speak to you. Your car directly connects with your smartphone. All the information becomes available at your fingertips."
Many of the features the app offers could be made available in the car's console/monitor.
Like: - automotive diagnostics, display of real-time driving behavior(should you really be looking at your Smartphone while driving), Logbook for recording and storage routes...
I don't really see benefit of this app.
[+] [-] azinman2|9 years ago|reply
[+] [-] microDude|9 years ago|reply
For a IoT device I would give this a gold star. I am sure after this report was given to them, they patched their firmware.
[+] [-] tyingq|9 years ago|reply
And it allows you to send and receive any CAN bus message you want, versus just some subset of OBDII. As far as I can tell, the features don't require anything other than querying OBDII for some very small subset of data. So if the dongle only passed those request packets, and dropped everything else, it would be miles more secure. Since it appears to be a simple passthrough device, I'm not sure there's enough horsepower in the dongle to fix that with firmware.