Security researcher Craig Smith developed a device to test if car diagnostics tools used in car dealerships to test and fix modern cars can be hacked and then used as infection stations, spreading malware to other cars.
Craig named this concept an “auto brothel,” and warns that his work found numerous car diagnostics tools as being vulnerable to a series of simple hacking techniques.
His research was presented during this year’s edition of DerbyCon, a security and hacking conference that took place in Louisville, Kentucky.
At the same conference, Craig also introduced a special hardware device he created to test car diagnostics tools found in dealerships, which he called ODB-GW (Ol’ Dirty Bastard Gateway). The software for this tool, the Unified Diagnostic Services (UDS) Server, is also available for download on GitHub.
As Craig explains, the ODB-GW device was created to work as a honeypot, making car diagnostics tools that are plugged into it think it’s a car.
On the other side of the ODB-GW, Craig also plugs the device into his laptop, from where he is then able to carry out basic tests, and identify weaknesses in the car diagnostics tool.
The technique used by the ODB-GW device to find vulnerabilities is called “fuzzying,” and consists of sending large random pieces of data to a car diagnostics tool, and see how the device reacts, and when and how it crashes.
Mr. Smith says that, by learning what vulnerabilities are found in a car diagnostics tool, an attacker can craft malware that will be able to infect that device, and then use it to spread to other cars that the device is plugged into, or even to the dealership’s WiFi network, and spread to WiFi-enabled cars from there.
“As a security auditor you should definitely test, […] it’s a big area it hasn’t been looked at,” says Mr. Smith, referring to the fact that the car industry has very few security best practices put in place. “Dealerships are relatively squishy, they have very low security, they don’t usually even have an internal IT department. These [diagnostics] tools are trusted. They are tools that aren’t security reviewed.”
“You can make a malicious car, that drives into a dealership, and it’s there to attack the dealership,” says Mr. Smith. “As you plug in the diagnostics tool to see why the engine light is on, it can take over that tool. And then, once you’re on that tool you can get onto any other car that comes in, hence the auto brothel.”
He then goes on to detail scenarios in which hackers could infect the cars or the dealership with ransomware, and demand payment before they unlock the car’s dashboard, either from the car owner, or the car dealership in care of which the cars have been left to.
Craig’s DerbyCon presentation can be viewed below. Beware, there’s a lot of geeky lingo inside.