[Jaepa]

First off this looks cool.

But these 4G connected smart ODB dongles scare the crap out of me. You are giving an IOT device the ability to disable breaks, the transmission, and lock you inside. I'm not really worried about a Maximum Overdrive type situation, giving this much control to a category of devices that was able to take down Dyn because so many of these devices used a subset of 60 common factory default usernames and passwords.

I think there is a good use case for these type of devices, but I think ODB, isn't the right mechanism for it. But I don't know if there will be a new standard.

[joshuata]

OBD2 is incapable of doing any of those things. It is a diagnostic interface to read out information about important systems. There is a standard set of data streams, and vendors add customizations on top. So any OBD2 scanner should work on any car, but it may not be able to parse/display non-standard data streams.

There is some danger of control over the interface, but the interface does not specify any control operations beyond resetting diagnostic codes. The vulnerabilities in the interface stem from automakers repurposing the protocol, and are model/maker specific.

It seems like another protocol would only help if it defined control mechanisms so that carmakers would stop abusing OBD2.

[serf]

>OBD2 is incapable of doing any of those things.

This is false.

OBD2 is utilized very differently by different manufacturers.

I am capable of applying brakes through the ABS system, applying any given throttle percent, shifting the cars sequential manual gearbox, forced over-pressurization of the transmission hydraulic system (for pressure vessel testing and relief valve testing) , or reflashing ANY of the ECMs available to the CANBUS network via the normal OBD2 interface on my BMW E46 M3 using the (bootlegged) OEM Rheingold/INPA software. (Among many many other things)

The ONLY ECM on the E46 M3 that is cordoned away from the OBD2/CANBUS interface is the SRS system (thankfully)

This software is freely available on most public trackers. It's by no-means rare or uncommon.

OBD2 is MUCH more capable than most are aware, especially on manufacturers like BMW or Audi that needed to shoehorn additional tech and diagnosis capabilities into the system.

P.S. I know you mentioned that manufacturers make the interface unsafe; I just wanted to clarify to those reading that it is by no means uncommon for manufacturers to do so nowadays. A consumer should by no means make a judgement about the control of their car by thinking "OBD2 is incapable of doing any of those things." when that's demonstrably not the case for many modern cars.

[j45]

This was really informative. Is there a way to find out how different manufacturers have enabled (or left disabled) such functionality? Would love to know the potential pitfalls before messing around with something like this.

Of course, one thing you could do is have the AutoPi locked down to only reply to a certain IP, VPN connection, etc, but the underlying security issues once connected, remain.

[js2]

Google most likely to find the enthusiast forums for the car/manufacturer, then searching the forurms. Probably there is a subreddit too for your car.

[j45]

I keep my social media on a diet but will def expire reddit. Appreciate the pointer!

[joshuata]

My mistake. I was trying to point out that the OBD2 protocol is not inherently unsafe. I would love to see a new standard emerge for securely interacting with the various systems and processors in a car, but I'm not very hopeful given their tendency to lock-in.

[tdicola]

Actually OBD on moderns cars is pretty much useless, it only reports the basic federally mandated emissions info for e-checks and that's it. All the fun stuff is on CAN and other often proprietary buses.

[serf]

the CANBUS is accessible via the OBD2 interface on many modern cars.