Researchers found a way to remotely inject malicious code into a vehicle's CAN bus.
Bosch has reportedly patched a security vulnerability that could have allowed hackers to remotely attack a vehicle via the company's Drivelog OBD-II dongle.
The Drivelog system is an aftermarket accessory that attaches to a car's diagnostic port and uses a Bluetooth radio to send data to a smartphone. Mobile apps allow drivers to monitor information such as service alerts, average speed or fuel consumption.
Researchers from automotive cyber security firm Argus claim to have developed an exploit capable of remotely taking over safety-critical vehicle systems. The hack takes advantage of a deficiency in Bosch's authentication process between the dongle and the Drivelog Connect smartphone app.
"After gaining access to the communications channel, Argus researchers were able to duplicate the message command structure and inject malicious messages into the in-vehicle network," Argus wrote in a blog post. "Effectively bypassing the secure message filter that was designed to allow only specific messages, these vulnerabilities enabled the Argus research group to take control of a moving car, demonstrated through remotely stopping the engine."
The vulnerability appears to bridge the gap between low-risk hacks that require a direct physical connection and highest-risk threats that can attack vehicles from across the globe. The exploit uncovered by Argus is remote, but only through the short-range Bluetooth connection.
Bosch has already implemented an initial fix to address the deficiency. A follow-up patch promises to further improve security by implementing a stronger encryption protocol.