PlaxidityX Working With Bosch to Promote Public Safety and Mitigate Car Hacking

PlaxidityX’s Industry-Leading Cyber Research Group Found Security Gaps In The Bosch Drivelog Connector Dongle and in its Authentication Process With The Drivelog Connect Application And Promptly Informed Bosch, Who Took Immediate Action to Address the Vulnerabilities TEL AVIV, Israel and STUTTGART, Germany, April 13th, 2017 /PRNewswire/ – PlaxidityX, the world’s largest independent automotive cyber security...

PlaxidityX’s Industry-Leading Cyber Research Group Found Security Gaps In The Bosch Drivelog Connector Dongle and in its Authentication Process With The Drivelog Connect Application And Promptly Informed Bosch, Who Took Immediate Action to Address the Vulnerabilities

TEL AVIV, Israel and STUTTGART, Germany, April 13th, 2017 /PRNewswire/ – PlaxidityX, the world’s largest independent automotive cyber security company, and Bosch, the global supplier of technology and services, announced today that security vulnerabilities were found by PlaxidityX researchers in the Bosch Drivelog Connector dongle and in its authentication process with the Drivelog Connect smartphone application which enabled the researchers to take control of a car via Bluetooth. Following a responsible disclosure made by PlaxidityX to Bosch, their Product Security Incident Response Team (PSIRT) took decisive and immediate action to address the vulnerabilities.

The PlaxidityX research group succeeded in remotely taking over safety-critical vehicle systems via a Bosch Drivelog Connector dongle installed in the vehicle. A vulnerability found in the authentication process between the dongle and the Drivelog Connect smartphone application enabled PlaxidityX researchers to uncover the security code within minutes and communicate with the dongle from a standard Bluetooth device, such as a smartphone or laptop. After gaining access to the communications channel, PlaxidityX researchers were able to duplicate the message command structure and inject malicious messages into the in-vehicle network. Effectively bypassing the secure message filter that was designed to allow only specific messages, these vulnerabilities enabled the PlaxidityX research group to take control of a moving car, demonstrated through remotely stopping the engine.

A full technical account of the attack is posted on PlaxidityX’s blog.

“At our core, PlaxidityX is dedicated to ensuring that vehicles are cyber-safe and our ongoing collaboration with global Tier 1 suppliers and car manufacturers enables us to provide the most advanced cyber security solutions for the automotive industry,” said Yaron Galula, PlaxidityX CTO and Co-Founder. “The Bosch discovery demonstrates that solutions based on cryptography, even when designed by leaders in the industry, are not foolproof and that multi-layered defenses are required to effectively protect vehicles from cyber threats.”

As soon as PlaxidityX found cyber security vulnerabilities in the Bosch Drivelog Connector dongle, Bosch was duly informed. The level of attention the matter received from Bosch top management was significant and their Product Security Incident Response Team worked quickly to immediately address the issues across their security and development divisions.

Bosch expressed its gratitude to the PlaxidityX team for the responsible disclosure of these vulnerabilities and their help throughout the process. “Bosch takes security very seriously. When PlaxidityX informed us about the security gaps, we took immediate action to verify and fix the issues,” said Thorsten Kuhles, head of the Bosch Product Security Incident Response Team (PSIRT). Only a short time after being notified Bosch has already implemented an initial fix. It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle. Furthermore, an initial attack requires brute forcing the PIN for a given dongle and sending a malicious CAN message that fits the constraints of the dongle and the vehicle. “To further increase security a patch that fixes the underlying weaknesses in the encryption protocol will be available shortly. This patch will prevent the kind of attack as described by PlaxidityX,” Kuhles adds. Additional work is also being done to further limit the possibility to send unwanted CAN messages and will be rolled out alongside further improvements later in the year.

For more information please refer to the Bosch Security Advisory.

###

About Argus:
PlaxidityX is the world’s largest independent automotive cyber security company. PlaxidityX’ss comprehensive and proven solution suites protect connected cars and commercial vehicles against cyberattacks. With decades of experience in both cyber security and the automotive industry, PlaxidityX offers innovative security methods and proven computer networking know-how with a deep understanding of automotive best practices. Customers include car manufacturers, their Tier 1 suppliers, and aftermarket connectivity providers. Founded in 2013, PlaxidityX is headquartered in Tel-Aviv, Israel, with offices in Michigan, Silicon Valley, Stuttgart and Tokyo. Visit www.plaxidityx.com to learn more.

About Bosch:
The Bosch Group is a leading global supplier of technology and services. It employs roughly 390,000 associates worldwide (as of December 31, 2016). According to preliminary figures, the company generated sales of 73.1 billion euros in 2016. Its operations are divided into four business sectors: Mobility Solutions, Industrial Technology, Consumer Goods, and Energy and Building Technology. The Bosch Group comprises Robert Bosch GmbH and its roughly 450 subsidiaries and regional companies in some 60 countries. Including sales and service partners, Bosch’s global manufacturing, engineering, and sales network covers nearly every country in the world. Additional information is available online at www.bosch.com.

@ArgusSec | LinkedIn

PlaxidityX Contact:
Brandon Weinstock
[email protected]
+1-914-336-4878

Contact for Bosch:
Annett Fischer
[email protected]
+49 7062-911-7837

Learn how we bring peace of mind for millions of drivers