The SEI helps advance software engineering principles and practices and serves as a national resource in software engineering, computer security, and process improvement. The SEI works closely with defense and government organizations, industry, and academia to continually improve software-intensive systems. Its core purpose is to help organizations improve their software engineering capabilities and develop or acquire the right software, defect free, within budget and on time, every time.
The Department of Homeland Security’s US-CERT tasked the CERT Coordination Center (CERT/CC) at Carnegie Mellon University’s Software Engineering Institute (SEI) to study aftermarket on-board diagnostic (OBD-II) devices to understand the cybersecurity impact to consumers and the public.
The CERT/CC analyzed a representative sample of devices for vulnerabilities and found widespread failure to apply basic security principles. If these devices are compromised, the potential impact may include loss of privacy, vehicle performance degradation or failure, and potential injury.
The CERT/CC hopes this research will better inform consumers, enterprise fleet managers, insurance companies, and policy makers about the potential risks of these devices. The OBD-II port was created to provide consumers with choice and control over their purchase. At the same time, this freedom must be balanced with thoughtful conversations on how to limit adversaries’ access to vehicle internals.