UPDATED 12:45 pm Friday with comment from Vinli.
If you're the type of person who likes to leave his or her vehicle unlocked with the engine running, a 4G-enabled Wi-Fi dongle that plugs into the car's on-board diagnostics (OBD) port should be your next major purchase.
Connecting your automobile's own computer network directly to the Internet makes it easy for you to diagnose maintenance issues, track a teen's driving habits or power a Wi-Fi hotspot. But it also provides an opening for hackers to cut off the brakes, disable the transmission or even lock you inside the car.
"By plugging a device into your car, you are increasing the car attack surface and also opening the door to remote attacks," said Cesar Cerrudo, chief technology officer at Seattle-based security firm IOActive.
Yet in the past few months, a few OBD dongles have appeared on the market, promising to make older vehicles suddenly modern by adding Internet connectivity, remote monitoring and diagnostics, and even apps. We can't stress strongly enough what a bad idea this is.
Remember those guys who cut the transmission on a Jeep Cherokee as it drove on the highway, leading to a huge recall of Fiat Chrysler vehicles this past July? By installing a third-party Internet-connected OBD dongle, you may be making your car just as vulnerable to hackers as that Jeep.
Even if you've got a '98 Tercel, these devices promise that you, too, will soon be able to cruise the Web while rolling down the highway. If you're a concerned parent of a teenager, you'll be able to track Suzie's trips around town in her second-hand Buick.
These gee-whiz devices work by plugging directly into a car's OBD-II port (standard on every vehicle sold in the United States after 1995), giving the gadgets not only 12-volt power, but possibly access to the car's internal Controller Area Network (CAN), even as they connect to the Internet via cellular data connections.
"These things let drivers say, 'Well, I guess I'll keep my low-tech Honda Civic,'" said Josh Corman, a leader of I Am the Cavalry, an organization of security experts aiming to make connected cars safer to use. "But you're making it hackable."
The ZTE Mobley (opens in new tab), introduced this week by AT&T, ostensibly "allows up to five devices to connect to the Internet and use the hotspot data plan to surf the Web, play games and watch videos." (You could do this more safely with a mobile hotspot plugged into the cigarette lighter.)
An AT&T spokesman told me that the Mobley "does not interact with the OBD-II in any way except to draw power," and that its own firmware updates would come over the air and be encrypted and digitally certified.
However, the spokesman could not share a pin-out diagram of the Mobley, which would specify the type of physical connections available. If the device uses off-the-shelf OBD-II plugs, it would have all the pins, and the only way to find out where those pins lead would be to take the Mobley apart.
Another OBD dongle, the Vinli, available beginning next week, doesn't leave any room for doubt — it definitely connects to the CAN. Funded through a very successful IndieGogo campaign, the Vinli aims to "instantly upgrade any car making it smarter, less expensive, more efficient, safer and fun."
The Vinli has Bluetooth and Wi-Fi connectivity, delivers Internet access through a 3G/4G cellular data connection and promises to work with a dozen different smartphone apps.
But because it also provides information on a car's inner workings, it would at least indirectly connect the Internet to the CAN "bus," which shuttles information to the electronic control units (ECUs) that control the brakes, steering, transmission and other systems. (The Vinli company did not immediately respond to a request for comment.)
Less worrisome are Bluetooth-enabled OBD readers such as the Automatic or the Verizon Hum, which only transmit regular OBD output data to nearby smartphones. But it's possible that a malicious smartphone app could use the Bluetooth connection to deliver malicious firmware to the vehicle.
"You can connect to these devices with your phone, tablet, laptop, etc.," Cerrudo said. "What about if you have malware on any of those? Then malware could have access to your car system, too, and if it's smart enough, it probably won't do good things to it."
In through the out door
The OBD port was never designed to power Wi-Fi hotspots, or to transmit and receive wireless data. The port is simply meant to convey diagnostic trouble codes to a car owner or mechanic. Likewise, most cars' internal networks were never supposed to be connected to the Internet, and as a result, have loose or nonexistent security safeguards.
The OBD port generally gets "full, unfettered access to the CAN bus," Corman said. "You can have more than one CAN bus, if the [network] architecture is segmented. But in most makes and models, most do have unfettered access."
That's especially true in older cars, and there are plenty of those still on the road. Owners of sports cars have been using OBD hacks for years to performance-tune their rides. And "white-hat" hackers — otherwise known as security researchers — have caught on.
In 2010, University of Washington researchers used the OBD port to install malicious software on an unspecified model of car (since reported to be a Chevrolet Impala), killing the brakes and locking the ignition while the car was moving. Last month, University of California, San Diego, researchers showed they could cut a Corvette's brakes by sending a text message to a cellular-data-enabled insurance-tracking OBD dongle.
The recent Jeep Cherokee hack that got similar results didn't use an OBD port. Instead, the researchers, Charlie Miller and Chris Valasek, installed malicious firmware via the Sprint wireless connection built into a 2015 Cherokee and many other late-model Fiat Chrysler vehicles.
The wireless connection, of course, is a different "attack surface" from the OBD port. But with the addition of one of these new OBD dongles, any car built after 1995 might have that door propped wide open, too.
Via email, we asked Valasek, who now is working on advanced technologies at Uber, about the feasibility of using an OBD dongle to hack a car.
"It's hard to say without actually looking at the actual dongles," Valasek replied. "I'm sure they range from 'Oh my God' to 'This is fairly secure.'
"Obviously, anything that is connected to the car and the Internet provides additional attack surface," he added, "especially when it is plugged into the diagnostic port, which usually has access to all the safety-critical ECUs (steering, braking, etc., etc.)."
Corman said OBD dongle makers should ensure their devices are secure and can't be used to compromise a car.
"The burden of making yourself more secure should be on the OBD-II devices themselves," Corman said. "If you're the manufacturer, make sure it's only allowed to receive CAN messages, not send them. You're the one introducing the attack surface."
The OBD standard was developed in the 1990s as a way for car mechanics and car owners to monitor exhaust emissions and other vehicular systems. A standardized form of OBD, called OBD-II, became mandatory on all cars sold in the United States beginning in the 1996 model year. (Some 1994 and 1995 models already had OBD-II ports.)
The OBD port, which looks a little like the serial port on an older computer, is often found under a car's dashboard, or in the glove compartment or center console. By law, it has to be in the passenger compartment.
If a car's malfunction-indicator light — commonly known as the "check engine" light — glows on the dashboard, the car owner or a mechanic can plug an OBD reader and get the diagnostic trouble codes related to the light, telling him or her what's wrong with the car. (For example, my own OBD-II reader tells me my car has a chronic exhaust-emissions problem.)
OBD ports are great. They tell car owners a lot more about their vehicles than they could previously get from fluid checks and tire-pressure gauges. But connecting an OBD port to the Internet is the equivalent of putting hydrogen in your tires — it'll run fine for a little while, before it blows up in your face.
"I'm pretty sure soon we will hear news of hackers hacking these devices," Cerrudo said. "I can see a near future where criminal hackers compromise cars in this way and ask you for a ransom to get your car system working again."
UPDATE: In a telephone conversation Friday, Sept. 11, Vinli's CEO, Mark Haidar, told us that the Vinli device's communication with the OBD-II port is one-way, and that the device only receives information from, and does not transmit information to, the CAN bus.
He added that instead of purchasing off-the-shelf male OBD connectors, the company designed its own connector, with two pins removed to prevent transmissions to the vehicle. Unlike regular OBD readers, Haidar said, the Vinli does not allow the user to clear the check-engine light, which would require sending a signal to the vehicle's internal OBD cache.
Haidar also said that the Vinli device physically separates its internal OBD-reading hardware from its wireless-communications hardware, and that only those software components that communicate with smartphone apps are updated over-the-air. Other firmware updates, Haidar said, would need to be done at the factory.