Are BT OBDII a security/safety risk, or a big one ?

[Ande]

Devices like this, mention "safe" on the box, the BT code is 1234 , there is no safety.



We love to use them with "Scan My Tesla" or "TM-Spy" apps, so far, so great.
Those apps/device interface CAN3 bus, (Powertrain) a malicious hacker could easily inject pedal signals !

Imagine a script piece like this:
1 look for OBDII BT devices
2 attempt to connect
3 determine if it's a Tesla
4 inject powertrain commands.

The pedals, and the motor, does speak CAN after all..
Steering Column Control Module (SCCM) - the one that controls Drive/reverse/neutral/parking brake.... does also speak CAN

One could probably command a parked car.
So it may be dangerous to have those modules in...

 

[whitex]

The box may say "safe" but I bet if you read the fine print, there are no guarantees given, and if you are lucky, at most you can get your money back for the box itself if someone hacks it and damages your car.

 

[mspohr]

You may find this article useful:
Hacking a Tesla Model S: What we found and what we learned
(They found nothing to be concerned about with the Bluetooth)

 

[apacheguy]

Pretty sure the diagnostic interface is read only. Doesn’t allow CAN inject.

 

[Ande]

You may find this article useful:
Hacking a Tesla Model S: What we found and what we learned
(They found nothing to be concerned about with the Bluetooth)

They analyzed Tesla bluetooth, not an aftermarket adapter.

 

[Drewflux]

So there is no way to change the default passcode?

Whilst it is a possible attack vector, just keep in mind. You would have to be within 10 feet of a powered dongle and even then. The tdc connector is connected to the internal Ethernet switch.

So should be read only as I think the switch only unlocks data flow when the diagnosis tool can send the service code heartbeat in the correct sequences

 

[Ande]

yes, no code change, but one could always shield it a bit to reduce range...
Also, the author of "scan my tesla" app, mentioned there were sequence numbers and checksums for the drivetrain data, making MITM attach harder, and (if checksums are more like signing data) very hard.

So yes... it seems like the risk is not that big..

 

[mspohr]

They analyzed Tesla bluetooth, not an aftermarket adapter.

The Tesla end is the part we need to worry about, not random aftermarket stuff. If the Tesla end is secure, you don't have to worry about random stuff.

 

[P-town_P85]

MOST Bluetooth devices require a button push to initiate re-pairing once paired. So unless this on is really stupid, once you have it hooked to your phone no one else can get to it unless they are already sitting in your car.

 

[shred86]

Does anyone actually know if the OBD2 port (CAN bus data) is read only?

I have a LELink 2 bluetooth LE dongle installed to use TM-Spy. Right now, it appears to power off when the car is off so I'm not too concerned. However, no pairing is required (Bluetooth LE).