Advisory Information

  • Advisory ID: BOSCH-2017-0201
  • Published: 13 Apr 2017
  • Last Updated: 13 Apr 2017
  • CVSSv3 Base Score:
    • Improper Authentication: 6.3
    • Permissive Whitelist: 6.5

Summary

Argus Cyber Security has identified two weaknesses in the Bosch Drivelog Connector (OBD-II dongle) and smartphone application. The first issue affects the “Just Works” Bluetooth pairing and mutual authentication process between the dongle and the smartphone application in which an attacker may be able to brute-force the PIN and connect to the dongle. The second issue is that malicious modification of the mobile application may allow unwanted CAN messages to be transmitted to the vehicle through the dongle. It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

Affected Products

Drivelog Connect application 1.1.1 and below
Dongle firmware version 4.8.0 to 4.9.2

Solution

The improper authentication vulnerability in the Bluetooth communication has been mitigated by activating a two-step verification for additional users to be registered to a device. This has been implemented on the server, so no action is required by the user. To further increase security in the authentication process an application and dongle firmware update will also be released.

With the mitigation of the improper authentication vulnerability, successful exploitation of the second issue requires the compromise of the user’s information. This can only occur in connection with malicious modification of the mobile application on the user’s phone, i.e. installing of a malicious modified app not provided by BOSCH.

The ability for a maliciously modified mobile application to possibly send unwanted CAN messages will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

CVSSv3 Base Score

Improper Authentication Vulnerability: 6.3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Permissive Whitelist Vulnerability: 6.5
CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L

Vulnerability classification is performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Acknowledgments

Bosch thanks Argus Cyber Security for the coordinated disclosure of these vulnerabilities.

Additional Resources

  1. Argus Cyber Security Press Release
  2. Argus Cyber Security Blog Post
  3. For further inquiries on vulnerabilities in Bosch products and solutions, please contact the Bosch RB PSIRT: https://psirt.bosch.com

Revision History

13 Apr 2017: Initial Publication