Topic: OBD-trackers - how big is the danger?
OBD trackers are produced in hundreds of thousands.
OBD-trackers - how big is the danger?
Published on April 26, 2017
LikedUnlikeOBD-trackers - how big is the danger?93Comment14ShareShare OBD-trackers - how big is the danger?73
Yury Lavrentiev
Managing Director at Wagencontrol | Specialist in fuel and weight telematics, CANbus/FMS reading equipment
OBD-plugged GPS trackers are gaining momentum - and for a good reason. Every modern vehicle has a service OBD2 plug. Such plug grants access to many of standard digital buses: CAN, ISO 9141, J1850, as well as power supply. All that makes OBD trackers so popular - they are so easy to install - technicians don’t need to look for a suitable place to install a tracker, plan cabling and search for places to connect to standard sensors and digital interfaces - everything is in one, easily accessible place. Many well-known GPS tracker manufacturers have OBD trackers among their standard offer - Queclink , Teltonika, Ubotech, CalAmp to name a few.
Manufacturers claim that along with usual GPS tracking, such devices can read data on fuel consumption, RPM, engine temperature, etc, and provide users with simple, clear visualization via smartphone on car’s location and performance, fuel use and even provide advice on eco-driving.
But let's not forget, that OBD plug was originally intended for vehicle diagnostics, that is performed within authorized service center. Such diagnostics is, in fact, an active “conversation” between diagnostics device and units within the vehicle. This includes reading of passports of installed units, error reading and debugging, active engine tests, brakes and other crucial units and systems. Some of this activities require active requests to be sent to the network, and they are mandatory for execution - and the corresponding unit will instantly react accordingly.
With the help of diagnostics tools, you can also raise or lower the cargo platform, change the operating mode of the engine, and in some cases, even turn a steering wheel. All that leads to a simple conclusion - some functions of diagnostics have a direct impact on vehicle’s safety. For example, active test of ABS switches on and off brake control valves!
But can OBD tracker send active requests? Short answer - YES
That can happen because of:
Initial intention to make active requests, for example, to read passports of different units and to debug a vehicle - such solutions are marketed as useful feature that can save user’s time on service
Device can be affected by internal failure, that leads to activation of active requests or errors to be sent
Manufacturer’s software can be hacked and changed via over-the-air set-up functions
Are there any tests?
Currently, there is no reliable data on whether manufacturers of such equipment performed any tests or set up any precaution measures. We really have to see results of tests on how devices perform if they are forced to send requests, how easy/hard it is to break into the software, and to what extend manufacturer’s insiders have the power to influence such devices.
Until then, OBD trackers (and regular GPS trackers with a direct electrical connection to CANbus to that matter) can only be considered as a source of real danger to the safety of the vehicle on the road.
Just think about it - if there is a device, that can communicate with crucial units and send orders for immediate execution to brakes, steering wheel, transmission, etc, and at the same time is connected to the internet, it is not hard to draw a picture of potential danger from hackers and terrorists. With a growing number of connected cars and OBD trackers, manufactured in millions, such concerns are more than real, and will only grow over time.
Just a quick example and real story from experience, on what even unintentional mistake by regular telematics installer can lead to - technician simply pressed a wrong button on setup service kit, tracker send message to the vehicle and suddenly all lights on the control panel were lit up and only professional service was able to fix the problem.
Obviously, manufacturers understand the scope of the potential danger, and some, like Mercedes, are trying to prevent such issues on some truck models by internal software. If it senses external message, or unauthorized connection, slows max speed to 40km/h and switches the vehicle into the mode of “driving to the service station”. But not all manufacturers are doing that, and we all know - any software is hackable. Banks and governments that spend billions on internet security often fail - and according to studies, will continue to do so.
In the modern era of internet of things, where everything is connected, hacking is becoming an ever greater threat. Unlike your connected refrigerator or your connected toothbrush (yes, there are connected toothbrushes), vehicles have a real power to harm and even kill people.
Regular GPS trackers have some protection - if they are connected via contactless readers of CANbus (like CANCrocodile by Technoton), they do not form a direct electric connection and cannot send signals to a vehicle, regardless of what is going on with the tracker. But such readers are not suitable for OBD trackers.
So the question is - should OBD trackers be used until a safe way of connection is found, or reliable data based on safety tests is provided? Please share your thought about that!