Plug-N-Pwned: Comprehensive Vulnerability Analysis of OBD-II Dongles as A New Over-the-Air Attack Surface in Automotive IoT

With the growing trend of the Internet of Things, a large number of wireless OBD-II dongles are developed, which can be simply plugged into vehicles to enable remote functions such as sophisticated vehicle control and status monitoring. However, since these dongles are directly connected with in-vehicle networks, they may open a new over-the-air attack surface for vehicles. In this paper, we conduct the first comprehensive security analysis on all wireless OBD-II dongles available on Amazon in the US in February 2019, which were 77 in total. To systematically perform the analysis, we design and implement an automated tool DONGLESCOPE that dynamically tests these dongles from all possible attack stages on a real automobile. With DONGLESCOPE, we have identified 5 different types of vulnerabilities, with 4 being newly discovered. Our results reveal that each of the 77 dongles exposes at least two types of these vulnerabilities, which indicates a widespread vulnerability exposure among wireless OBD-II dongles on the market today. To demonstrate the severity, we further construct 4 classes of concrete attacks with a variety of practical implications such as privacy leakage, property theft, and even safety threat. We also discuss the root causes and feasible countermeasures, and have made corresponding responsible disclosure.

[1]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[2]  Agostino Cortesi,et al.  Vulnerability analysis of Android auto infotainment apps , 2018, CF.

[3]  Reza Malekian,et al.  Design and Implementation of a Wireless OBD II Fleet Management System , 2017, IEEE Sensors Journal.

[4]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[5]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[6]  Kevin Fu,et al.  Adversarial Sensor Attack on LiDAR-based Perception in Autonomous Driving , 2019, CCS.

[7]  Ingrid Verbauwhede,et al.  CANAuth - A Simple, Backward Compatible Broadcast Authentication Protocol for CAN bus , 2011 .

[8]  Chatschik Bisdikian,et al.  An overview of the Bluetooth wireless technology , 2001, IEEE Commun. Mag..

[9]  Tadayoshi Kohno,et al.  Automobile Driver Fingerprinting , 2016, Proc. Priv. Enhancing Technol..

[10]  Zhuoqing Morley Mao,et al.  Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework , 2016, NDSS.

[11]  Mohammad Samie,et al.  A Survey on CAN Bus Protocol: Attacks, Challenges, and Potential Solutions , 2018, 2018 International Conference on Computing, Electronics & Communications Engineering (iCCECE).

[12]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[13]  Zhiqiang Lin,et al.  Why Does Your Data Leak? Uncovering the Data Leakage in Cloud from Mobile Apps , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[14]  Qi Alfred Chen,et al.  ContexloT: Towards Providing Contextual Integrity to Appified IoT Platforms , 2017, NDSS.

[15]  Hiroaki Takada,et al.  CaCAN: Centralized Authentication System in CAN (Controller Area Network) , 2016 .

[16]  Stefan Savage,et al.  Fast and Vulnerable: A Story of Telematic Failures , 2015, WOOT.

[17]  Ingrid Verbauwhede,et al.  LiBrA-CAN: A Lightweight Broadcast Authentication Protocol for Controller Area Networks , 2012, CANS.

[18]  Douglas S Eisinger,et al.  Policy evolution and clean air : The case of US motor vehicle inspection and maintenance , 2008 .

[19]  Zhiqiang Lin,et al.  Automatic Fingerprinting of Vulnerable BLE IoT Devices with Static UUIDs from Mobile Apps , 2019, CCS.

[20]  Insup Lee,et al.  Injected and Delivered: Fabricating Implicit Control over Actuation Systems by Spoofing Inertial Sensors , 2018, USENIX Security Symposium.

[21]  Yunhao Liu,et al.  Understanding Fileless Attacks on Linux-based IoT Devices with HoneyCloud , 2019, MobiSys.

[22]  M. Ruta,et al.  A Mobile Knowledge-based System for On-Board Diagnostics and Car Driving Assistance , 2010 .

[23]  Jaein Kim,et al.  Fuzzing CAN Packets into Automobiles , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications.

[24]  Felix C. Freiling,et al.  A structured approach to anomaly detection for in-vehicle networks , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[25]  Zhuoqing Morley Mao,et al.  Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[26]  Jeng-Shyang Pan,et al.  Driving Behavior Analysis Based on Vehicle OBD Information and AdaBoost Algorithms , 2015 .

[27]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[28]  Kang G. Shin,et al.  Fingerprinting Electronic Control Units for Vehicle Intrusion Detection , 2016, USENIX Security Symposium.

[29]  Yiheng Feng,et al.  Exposing Congestion Attack on Emerging Connected Vehicle based Traffic Signal Control , 2018, NDSS.

[30]  Shihong Huang,et al.  Trajectory-Based Hierarchical Defense Model to Detect Cyber-Attacks on Transportation Infrastructure , 2019 .

[31]  Aaron Hunter,et al.  A Security Analysis of an In-Vehicle Infotainment and App Platform , 2016, WOOT.

[32]  Haibo Zeng,et al.  Understanding and Using the Controller Area Network Communication Protocol: Theory and Practice , 2012 .

[33]  Nan Zhang,et al.  HanGuard: SDN-driven protection of smart home WiFi devices from malicious mobile apps , 2017, WISEC.

[34]  Zhuoqing Morley Mao,et al.  Static Detection of Packet Injection Vulnerabilities: A Case for Identifying Attacker-controlled Implicit Information Leaks , 2015, CCS.

[35]  Zhiqiang Lin,et al.  AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services , 2017, CCS.

[36]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[37]  Rui Wang,et al.  Automatic Forgery of Cryptographically Consistent Messages to Identify Security Vulnerabilities in Mobile Services , 2016, NDSS.

[38]  Steven E. Shladover,et al.  Potential Cyberattacks on Automated Vehicles , 2015, IEEE Transactions on Intelligent Transportation Systems.

[39]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[40]  Shihong Huang,et al.  Vulnerability of Traffic Control System Under Cyberattacks with Falsified Data , 2018 .

[41]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[42]  Zhuoqing Morley Mao,et al.  No One In The Middle: Enabling Network Access Control Via Transparent Attribution , 2018, AsiaCCS.

[43]  Carles Gomez,et al.  Overview and Evaluation of Bluetooth Low Energy: An Emerging Low-Power Wireless Technology , 2012, Sensors.

[44]  Erland Jonsson,et al.  Efficient In-Vehicle Delayed Data Authentication Based on Compound Message Authentication Codes , 2008, 2008 IEEE 68th Vehicular Technology Conference.

[45]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[46]  Flavio D. Garcia,et al.  LeiA: A Lightweight Authentication Protocol for CAN , 2016, ESORICS.

[47]  Blase Ur,et al.  Rethinking Access Control and Authentication for the Home Internet of Things (IoT) , 2018, USENIX Security Symposium.