Mobile Devices Information for VU#209512

Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities

Status

Affected

Vendor Statement

Since our devices have access to vehicle electronics, security is a very serious topic in our company and we handle it with a high attention. Ensuring security is a never ending effort which is handled in 3 ways :

• R&D / anticipating security threats
• Company security
• Security in production / deployment 

Regarding the recent study: generally speaking our devices are sold to integrators, and provided with the maximum flexibility and openness for the development of applications. In the telematics industry our mission for 13 years has been to provide the most advanced tools to 1) allow innovation teams to implement and test their concepts and 2) deploy the solution to mass market.
 
So the tools – typically OBD Dongles and device management tools – have 2 modes

• A “development” mode in which it is very easy to implement a program to remotely communicate with the vehicle network and even control a vehicle like the researchers have been doing
• A “production” mode for the deployment phases which can be activated at any time and ensures protection, in which the devices local and remote access are closed and secured.

About this production mode: devices and device management tools are provided with mechanisms allowing to ensure security but it is usually our customers’ choice to decide when and how to activate them.
 
With the very recent concern of the industry regarding vehicle hacking, we are adopting a different approach to security handling.
In addition to providing a set of recommendations that allow to secure the devices, we offer a full security package which includes in standard all the mechanisms activated. In addition we are defining rules for activating automatically this package in deployment phases. The purpose of these rules is that there can’t be any deployment without all the security features activated. If you want to know more about this, we will posting updates on www.munic.io.
 
During summer we have been identifying – together with our customers – all the deployments that were made without activating all the security mechanisms and making sure the security pack gets applied to all vehicles that are concerned.
 
Telematics is posing an interesting and very important challenge to all the automotive industry: how can we ensure top security AND keep turning this whole industry into modern open platforms with evolving services ?
This is one of the topics we are deeply involved in at Mobile Devices and we will be communicating on.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

None

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.