Sriram Iyer

while(!broken) { fix(); }

Observations: OBD2 on My Car

I plan to make the OBD2 adapter a more permanent installation in my car, but seeing that I have the Bluetooth version of the adapter I was not too happy about the security. Before keeping it plugged in permanently I want to make sure it’s safe. If you see enough Defcon and C3 talks, anything wireless will make you paranoid.

First gigantic problem is that there is no pairing password. Yep, you just plug it in and you can start Torque and direct it towards the device and without as much as a confirmation, the app starts displaying real-time data. This is a rather huge problem if I’m not connected as it means anyone else can just connect to the device without any authentication. Now if the stream is encrypted or not is something that I’ve not looked into.

Fortunately, like all other bluetooth devices, once the OBD2 adapter has established an active connection to a device (be it a phone, or a PC) other devices cannot connect to it. It’s not a big deal but it’s something I guess. In my opinion, it would be reasonably safe (against basic intrusion) to put the adapter into non-discoverable mode if a device did not establish a connection to it with say, 60 to 90 seconds. It should also go into non-discoverable mode when a device establishes a successful connection as well. This would drastically reduce the attack window to the first minutes of power up.

Another worrying issue is that the range on a seemingly cheap device is quite large. I was able to achieve a stable connection all around the car and it only started breaking when I went a bit more than 5 meters away on the passengers side, which would imply that it indeed has an approximate range of 8-10 meters and the fact that the adapter is placed deeply in a recessed part of a large metallic box is doing nothing to attenuate the signal.

I have not even checked if the adapter draws power when the car is turned off.

So, for now, I must say that the situation is not looking good. It seems to be not just highly but completely insecure to have a bluetooth based OBD2 adapter permanently plugged into the car. I don’t know how good the wifi adapters are. If nothing, a wired adapter might be my only option.