Theoretical "auto-brothel" attack on mechanics' computers could infect millions of cars

Companies like GM have engineered their cars so that it's a felony to make independent diagnostic tools for them, or to investigate the official diagnostic tools rented to mechanics in exchange for a promise to only buy GM's hyper-inflated replacement parts.

This official, government-enforced secrecy means that independent researchers are slow to come forward when they discover bugs in car firmware — meaning that showstopper bugs like the one that let attackers take over your car's steering and brakes over the Internet; or the $32 device that opens keyless entry locks on cars; or the $17 fob that lets you open the doors and start the engines of Priuses and drive away in them lurk and fester in your car for years before they're disclosed and fixed.

It's also the reason that Volkswagen was able to get away with mass-scale criminality for years.

These bugs also lurk in mechanics' tools, and the tools and the cars can infect each other. A presentation at Derbycon by Craig Smith showed how you could build a piece of malware that was passed from a car to a mechanic's tool, then to all the cars that mechanic serviced, then to all the garages those cars ever visited — like an STD that is passed into a brothel, and then to all the johns who visit it, and then to all the brothels they visit. He's posted sourcecode for such a device to Github, and showed how he could build it for $20.

Smith is founder of an open-source car-hacking group called Open Garages.

The tool Smith created simulates that kind of attack by impersonating a malicious car. Primarily, it's a testing device; a way to see what kind of malicious code would need to be installed on a car to infect any diagnostic tools plugged into it. Smith's device is built from a pair of the OBD2 or On-board Diagnostic ports, the kind that typically appear under a car's dashboard to offer mechanics an entry point to the CAN network that controls a vehicle's physical components. It also uses a resistor and some wiring to simulate a car's internal network and a 12-volt power source. All of that is designed to impersonate a car when a dealership's diagnostic tool is plugged into one of the OBD2 ports. The second OBD2 port is used to connect the device to a PC running Smith's vulnerability scanning software. Smith calls his easily replicated hardware setup the ODB-GW, or Ol' Dirty Bastard Gateway, a play on a common misspelling of OBD and an homage to the late member of the Wu Tang Clan.

With that ODB-GW plugged into a laptop, Smith's software can perform a technique known as "fuzzing," throwing random data at a target diagnostic tool until it produces a crash or glitch that might signal a hackable vulnerability. Smith says he's already found what appear to be multiple flaws in the dealership tools he's tested so far: One of the handheld diagnostic tools he analyzed didn't check for the length of a vehicle identification number. So rather than 14 digits, his car-spoofing device shows that an infected vehicle could send in a much longer number that breaks the diagnostic tool's software and allows a malware payload to be delivered. Or, Smith suggests, an infected car could overload the dealership's gadget with thousands of error codes until it triggers the same sort of bug. (Smith says his own tests are still preliminary, and he declined to name any of the diagnostic tools he's tested so far.) "The dealership tools trust that a car is a car," says Smith. "They're a soft target."

Car-Hacking Tool Turns Repair Shops Into Malware 'Brothels' [Andy Greenberg/Wired]