[boltage]

I posted this in the long thread about OBD2 PIDs for the Bolt, but this probably deserves its own thread so that people will notice it.

Some Bluetooth OBD2 dongles have a default Bluetooth pairing password that is the same for all of the same model dongle and cannot be changed. When plugged into the OBD2 port, the dongle is powered up and can also be used to access OBD2 things while the car is "off".

This means that if the dongle is left plugged into the OBD2 port of the parked car, someone else can pair a phone to it and access OBD2 things in your car. With typical apps like Torque Pro and Engine Link, this can mean reading various values and resetting malfunction codes (writing). But since OBD2 allows writing (which is how manufacturer-proprietary functions like reflashing car firmware get done), it is possible that, with a malicious app, someone can do more nefarious things to your car. In theory, a phone paired to the dongle and left attached to the car in a hidden manner could have a malicious app that can detect when the car is being driven and then do things to cause a crash.

So do not leave the dongle attached to the OBD2 port when parked or otherwise not in use. If your dongle can have its Bluetooth pairing password changed, change it to something non obvious.

Note that this is not specific to the Bolt or any other make/model of car.

 

[redpoint5]

I'll wait until this is a problem rather than a theory of a problem. BT has low range, and 99.999% of people don't go around trying to harm others.

 

[desiv]

There can be some mitigating circumstances around that also..
For instance, the cheapo one I have does that with a default PIN, but it will only be in "pairing mode" for the first few minutes (I think just one minute) after power up.
Of course, then the question is, do you have it in a vehicle that leaves it with power all the time, or only when turned on.
If the vehicle always provides power to the OBD2 port, then the device would only be vulnerable when it is unplugged and plugged back in for the first minute.

Not sure how many of them use this "first minute for pairing mode" feature.

 

[Digi]

99.999% of people don't go around trying to harm others.

That is the funniest joke I’ve ever heard. Bravo.

 

[Sean Nelson]

...99.999% of people don't go around trying to harm others.

I consider myself an optimist and generally assume people to be of good intention until evidence indicates otherwise. But I think you're wildly way more optimistic than I am...

 

[redpoint5]

That is the funniest joke I’ve ever heard. Bravo.

That was my guess. The actual number is 99.995% of people don't get murdered in the US. That probably equates to close to 99.999% of people, since some murderers kill multiple people.

The fact is, we're not safe because of door locks and police, we're safe because our families and society produce civilized people.

You can't hack the brakes anyhow, because they are mechanically actuated by the pedal. Pressing it will cause braking to occur regardless of software. Likewise, the steering wheel has mechanical advantage over the steering motor, so you would be able to overcome it even if it is commanded to fight against you.

In the extremely unlikely event I'm murdered, it won't be OBDII takeover:

 

[GJETSON]

That was my guess. The actual number is 99.995% of people don't get murdered in the US.

So not being a murderer is now the standard for good conduct? I am pretty old, but I still remember the bullies, starting in first grade, and on through high school. They were probably one percent of the students. The misery they caused was way out of proportion to their numbers, of course.

We are taught that those folks ultimately get what they deserve. The reality is that some of them go on to be very successful. We all have evolved both aggression, and cooperation, as coping tools. Some manage to make a good living always being on the offensive, and never accepting blame.

 

[ZoomZoom]

We are taught that those folks ultimately get what they deserve. The reality is that some of them go on to be very successful. We all have evolved both aggression, and cooperation, as coping tools. Some manage to make a good living always being on the offensive, and never accepting blame.

Based on the default answer on here when something goes wrong is to get a lawyer and complain to corporate, morality isn't 'taught' and that's where the aggression evolved from.

 

[GJETSON]

Based on the default answer on here when something goes wrong is to get a lawyer and complain to corporate, morality isn't 'taught' and that's where the aggression evolved from.

I know, legally, corporations are people. But how much luck have you had discussing a problem over a beer with one?

Speaking of morality, VW and Boeing comes to mind as recent paragons.

 

[ZoomZoom]

I know, legally, corporations are people. But how much luck have you had discussing a problem over a beer with one?

Speaking of morality, VW and Boeing comes to mind as recent paragons.

Or better yet, how many people actually get anywhere when the default answer is to sue? Everyone seems to forget that the attorney wants a retainer and bills by the minute. These aren't personal injury actions where they take 30% off the TOP after deducting expenses including each photocopy they make.

 

[redpoint5]

So not being a murderer is now the standard for good conduct? I am pretty old, but I still remember the bullies, starting in first grade, and on through high school. They were probably one percent of the students. The misery they caused was way out of proportion to their numbers, of course.

The topic was hijacking OBDII to cause a crash. That seems to imply murderous intention. Since you want to take exception to my comment, are you implying that this "security vulnerability" is something we should be worrying about because bullies existed in school?

Sure, there are bullies. I've bullied at times because that's what boys are inclined to do when they are immature. All people enter the world as complete sociopaths, and maturing is the process of overcoming that nature. We all develop at differing rates, and in different areas too.

Destruction is way easier than construction, so there will always be a disproportionate harm by a few. Technology magnifies this potential.

 

[GJETSON]

The topic was hijacking OBDII to cause a crash. That seems to imply murderous intention. Since you want to take exception to my comment, are you implying that this "security vulnerability" is something we should be worrying about because bullies existed in school?

Sure, there are bullies. I've bullied at times because that's what boys are inclined to do when they are immature. All people enter the world as complete sociopaths, and maturing is the process of overcoming that nature. We all develop at differing rates, and in different areas too.

Destruction is way easier than construction, so there will always be a disproportionate harm by a few. Technology magnifies this potential.

I am not the least worried about it. Central Virginia is not exactly a hotbed of computer hackers. I'd be more concerned about folks dumping deer guts in the ditches near our property.

Your last comment is the reason I am pessimistic about the prospects of civilization.

 

[redpoint5]

Me too, which is why I'm orders of magnitude more concerned about intentional harm by people than I am about the unintentional messing about with the outdoor thermostat. The only way for humanity to survive increasing technological prowess is for us to grow in goodness. Unfortunately technology develops at a much more rapid pace than biology. I can see little else to do about that except to engineer better people (designer babies), because artificially manipulating genetics is the only way to keep pace with other areas of technological advancement. That itself will introduce powerful pathways for malicious intent to be practiced.

 

[GJETSON]

Or better yet, how many people actually get anywhere when the default answer is to sue? Everyone seems to forget that the attorney wants a retainer and bills by the minute. These aren't personal injury actions where they take 30% off the TOP after deducting expenses including each photocopy they make.

Individuals rarely win against corporations. That doesn't prevent one from wishing/wanting to sue. Saying, "I should sue them!" is just a way of venting frustration at our corporate overlords...about as effective as voting.

 

[GJETSON]

Me too, which is why I'm orders of magnitude more concerned about intentional harm by people than I am about the unintentional messing about with the outdoor thermostat. The only way for humanity to survive increasing technological prowess is for us to grow in goodness. Unfortunately technology develops at a much more rapid pace than biology. I can see little else to do about that except to engineer better people (designer babies), because artificially manipulating genetics is the only way to keep pace with other areas of technological advancement. That itself will introduce powerful pathways for malicious intent to be practiced.

Yeah. The folks who can afford a designer baby, and have the ego to think they would know what to choose, are a big concern.

 

[redpoint5]

Huge problems for sure. I like GATTACA for the reason that it brings to light these difficult topics. Designer babies are inevitable too, so the conversations should be had now.

Normal baby making is already a low resolution form of designer baby making. Do we randomly end up with our mates, or do we make decisions about them? Do wealthier men tend to be more attractive to women than poorer men? Is their mating opportunity the same as poor men? Do smarter people tend to have smarter children?

All of the problems associated with engineered babies already exist, they simply aren't magnified by the power of technology. It vastly reduces the randomness of reproduction.

 

[Vertiformed]

To access the Bluetooth LE device, you'd have to stand close to the car, somewhat obviously, for a few minutes. The kind of person running Torque Pro or Engine Link on their phone is likely to be someone who is geeky and middle-class. I'd say odds of their trying something is low.

If you're concerned about low life, worry about your tires or your paint job, not your ODB-II adapter.

Still, probably best to unplug when not in use anyway.

 

[Sean Nelson]

The topic was hijacking OBDII to cause a crash.

Well, the OP mentioned "crash" as an example of what could be done, but I think a far, far more likely scenario is that someone would hack to software to simply unlock the car so they could steal the contents or perhaps the car itself. If someone figures out the hack, it probably woudln't take long before it gets packaged into a simple-to-install app that any neer-do-well could install on their phone. I'm sure that what would follow would be a spate of thefts, not murders.

 

[redpoint5]

Timely... I have some poor quality footage of a lowlife rifling through a car at my rental house yesterday.

I hope AI gets good enough to not only identify a person, but behavior that is suspicious.

 

[Sean Nelson]

I hope AI gets good enough to not only identify a person, but behavior that is suspicious.

I think we already have enough trouble trying to identify suspicious behaviour using "natural" intelligence...