In an era where vehicles are becoming increasingly connected, the specter of cyberattacks looms larger than ever. Over the past year, cybersecurity researchers have explored potential avenues for malicious actors to compromise vehicles remotely. Now, experts from Israel’s elite cyber intelligence Unit 8200 have uncovered a stark reality: a widely used American in-vehicle technology, the Zubie Obd2 dongle, harbored a vulnerability that could be exploited to remotely manipulate critical vehicle functions such as brakes, steering, and the engine. This revelation marks a significant milestone as the first documented cyberattack targeting a specific in-car “dongle,” potentially signaling a turning point in automotive cybersecurity.
Ironically, the weakness resided within Zubie, a technology designed to enhance driving safety and efficiency. Zubie OBD2 devices monitor vehicle performance and location, providing drivers with insights for improved, responsible driving habits. While Zubie CEO Tim Kelly has confirmed that the identified security issue has been resolved, this incident undeniably amplifies existing concerns about the remote hacking of vehicles through such connected technologies.
Understanding the Zubie OBD2 System and the Vulnerability
The Zubie system is composed of several key components. At its core is the hardware device itself, a dongle that plugs into the On-Board Diagnostic (OBD2) port, typically located beneath the steering wheel of most modern cars. This OBD2 port serves as a gateway to the vehicle’s internal network, enabling the Zubie device to communicate with various car systems. Complementing the hardware is a built-in mobile GPRS modem, facilitating a constant connection to the Zubie cloud. This cloud infrastructure then relays vehicle data to a user-friendly application compatible with both Android and iOS smartphones.
Through meticulous reverse engineering and persistent hacking efforts targeting the Zubie hardware, Ofer Ben-Noon and his team of researchers at Argus Cyber Security, a startup specializing in vehicle cybersecurity, unearthed a crucial vulnerability. The weakness stemmed from the device’s mechanism for downloading updates from a remote server. Crucially, the Zubie OBD2 device employed unencrypted communication channels, relying on standard HTTP protocol for server communication. This lack of encryption meant that the device’s identity wasn’t rigorously verified when receiving updates. Furthermore, the software updates themselves were not digitally signed, leaving them susceptible to tampering. This combination of factors created a significant security gap. A hacker who successfully gained control over the Zubie update server, or even managed to compromise its domain name, could effectively push malicious updates directly to Zubie OBD2 devices in vehicles.
Exploiting the Vulnerability: A Real-World Demonstration
The researchers at Argus Cyber Security demonstrated that the latter attack vector, domain name compromise, could be executed with relative ease. In a controlled experiment, they simulated a real-world attack scenario. By setting up a fake mobile base station in a car park, they were able to spoof a legitimate Zubie server. This allowed them to intercept communication with Zubie devices and inject a malicious update. This malicious update served as a vehicle to implant malware directly onto the Zubie OBD2 device.
Given that the OBD2 port provides direct communication pathways, via the CAN (controller area network) bus, to virtually all critical systems within a vehicle, the potential consequences of such malware infection were severe. The Argus team successfully demonstrated their ability to exploit this access. In a test involving an undisclosed vehicle, they managed to remotely unlock the car doors and manipulate the dashboard dials, as documented in Argus’s public blog post detailing the remote attack on the aftermarket telematics service. Ofer Ben-Noon further explained that with additional research into the specific computing languages governing other vehicle functions, their team could have extended their control to manipulate safety-critical systems like the brakes, steering, and even the engine itself. However, they deemed their initial demonstration sufficient to underscore the gravity of the vulnerability.
Beyond direct vehicle control, the implanted malware also granted the attackers the ability to surreptitiously track the vehicle’s location, monitor driving behaviors, and exfiltrate sensitive vehicle data. As Argus Cyber Security highlighted in their blog, “This clearly violates passengers’ privacy,” raising significant concerns about data security and personal information protection in connected vehicles.
While Ben-Noon refrained from naming the specific vehicle model used in their demonstration, his rationale was to maintain focus on the overarching message: the automotive industry must prioritize and invest in robust cybersecurity measures.
Call for Automotive Cybersecurity and Industry Response
Ben-Noon posed a critical question to the automotive industry: “When will the industry adopt cyber defenses?” He argued that increasing incidents like the Zubie OBD2 hack would inevitably compel the industry to acknowledge and address cybersecurity vulnerabilities, a reality they might currently be hesitant to fully embrace. He emphasized the long-term financial benefits of proactive cybersecurity, stating, “Having cyber systems in a vehicle is a money maker – you save money on brand damage that might occur in the future.” Drawing a parallel with other sectors, Ben-Noon noted, “It will take time for the automotive industry to understand what enterprises already understand.”
He stressed the essential role of secure connectivity in the future of automobiles, asserting, “Car connectivity is a must moving into the future but has to be done in a secure manner. [Tech manufacturers] have to be responsible for their components.”
In response to Argus Cyber Security’s findings, Zubie collaborated closely with the cybersecurity firm to remediate the identified vulnerability. Zubie CEO Tim Kelly stated, “Security and the safety of our customers are top priority at Zubie. Argus recently notified us of a security issue in our device software and we worked quickly to fix it. We have no evidence that any customer’s vehicles were compromised.” Kelly further detailed Zubie’s commitment to security, “Zubie has gone through system-wide security testing, with the NCC Group, accredited automotive security experts and third-party insurance carriers, to protect the safety of both our customers and products. We appreciate Argus’ help in disclosing this vulnerability in a responsible manner to help us improve our overall security posture.”
Argus confirmed Zubie’s swift and responsible action in addressing the vulnerability, although they have not yet had the opportunity to test the updated version of the Zubie OBD2 technology.
OBD2 Port Vulnerabilities: A Broader Perspective
Chris Valasek, a renowned car hacker and security expert at IOActive, corroborated the potential risks associated with OBD2 port access. He affirmed that compromising a device connected to the OBD2 port could grant attackers broad access to a vehicle’s functions. However, Valasek noted that exploiting this access to manipulate specific vehicle systems would require significant effort. Attackers would need to decipher the proprietary protocols and communication languages used by the target vehicle model to control different functions. These protocols vary across manufacturers and models, necessitating hands-on access to the specific vehicle to reverse engineer its communication systems before launching a targeted attack.
Despite these challenges, Valasek underscored that resourceful and determined attackers could potentially compromise a range of vehicles by initially identifying a vulnerability within a device connected to the ubiquitous OBD2 port. Ofer Ben-Noon pointed out the widespread presence of OBD2 ports, stating they have been standard in nearly every car manufactured since 1996. He referenced the earlier car hack by Valasek and Charlie Miller, who famously demonstrated vehicle control through the OBD-II port in a previous experiment with journalist Andy Greenberg. Valasek and Miller are now actively researching methods to achieve remote vehicle hacking without relying on third-party devices connected to the OBD2 port, indicating the evolving landscape of automotive cyber threats.
Earlier in the year, VisualThreat, another cybersecurity company, reported findings from their analysis of 19 OBD dongles and over 120 automotive mobile applications. Their research claimed that a significant 50 percent of the OBD dongles they tested, while not specifically named, exhibited vulnerabilities. VisualThreat asserted they successfully exploited these vulnerabilities to “hijack” Hyundai Sonata and Toyota Camry vehicles, demonstrating capabilities such as opening trunks and doors, controlling lights and horns, and even remotely disabling the engine.
The proliferation of OBD2-connected hardware is undeniable, fueled by the growing popularity of services like Zubie and the expanding usage-based insurance (UBI) industry. UBI relies on OBD2 devices to record driving data for insurance premium calculations. ABI Research projects a substantial growth in OBD-related product subscriptions, anticipating 117.8 million subscribers by 2019, highlighting the increasing relevance and potential attack surface of OBD2 technology.
Craig Smith, founder of the vehicle research lab OpenGarages, author of “The Car Hacker’s Owners Manual,” and contributor to the cybersecurity advocacy group I Am The Cavalry, emphasized the inherent risks of remote update systems connected to the CAN bus or OBD port. He stated, “Any remote update system attached to the CANBus (or OBD port) is an excellent attack vector,” underscoring the critical need for robust security measures in connected vehicle technologies.
Zubie itself has attracted significant investor interest, securing $8 million in funding in August of the same year, including backing from Nokia Growth Partners, adding to a previous $10 million Series A round. Zubie’s core technology is designed to provide valuable feedback to drivers, offering insights into vehicle maintenance needs and promoting safer, more efficient driving practices. In September, Zubie announced a partnership with Progressive Insurance, venturing into the insurance sector by rewarding safe drivers, further expanding its market reach.
The Zubie OBD2 vulnerability and related research serve as a critical wake-up call for the automotive industry and connected car technology providers. Companies like Zubie and their competitors must prioritize and rigorously enforce robust security protocols to safeguard their technologies and, most importantly, ensure the safety and security of drivers in an increasingly interconnected automotive landscape. The future of vehicle technology hinges on building trust and resilience against cyber threats.
