ODB- GW: A New Hope in Car Malware Detection Mechanism

By CIOReview | Wednesday, October 7, 2015

FREMONT, CA: Security researcher Craig Smith has launched a new device, called ODB-GW (Ol’ Dirty Bastard Gateway), which he presented at the Derbycon hacker conference in Louisville, Kentucky, against the car-hacking concept, which he named as an ‘auto brothel’.

It enables car dealers to find security vulnerabilities in equipments that are used by mechanics and dealerships to update car software and run vehicle diagnostics. According to a report by Andy Greenberg for Wired.com, the device was invented with the help of approximately twenty dollars of hardware and free software and delivered it on Github with an anticipation that it will help testers in fixing the bugs in dealership tools.

Commenting on his new invention, Craig Smith, says, “By learning what vulnerabilities are found in a car diagnostics tool, an attacker can craft malware that will be able to infect that device, and then use it to spread to other cars that the device is plugged into, or even to the dealership’s WiFi network, and spread to WiFi- enabled cars from there.”

Designed to detect bugs, the tool is crafted from a pair of the OBD2 or On-board Diagnostic ports and a resistor and some wiring to create a car’s internal network and a twelve volt power source. It performs a technique called ‘fuzzing’, where it throws random data at a target diagnostic tool until it produces a crash or glitch that might signal a hackable vulnerability. However, Smith believes that an attack on a dealership’s diagnostics tools wouldn’t always mean to be malicious; it could also be aimed at hauling out cryptographic keys or code that would let car hacker hobbyists modify their own vehicles for better or worse.

“Ideally I want people doing security audits in the automotive industry to be checking dealership tools, too. This is the way to do it,” Smith concludes.