The Department of Homeland Security’s US-CERT tasked the CERT Coordination Center (CERT/CC) at Carnegie Mellon University’s Software Engineering Institute (SEI) to study aftermarket on-board diagnostic (OBD-II) devices to understand the cybersecurity impact to consumers and the public.
The CERT/CC analyzed a representative sample of devices for vulnerabilities and found widespread failure to apply basic security principles. If these devices are compromised, the potential impact may include loss of privacy, vehicle performance degradation or failure, and potential injury.
The CERT/CC hopes this research will better inform consumers, enterprise fleet managers, insurance companies, and policy makers about the potential risks of these devices. The OBD-II port was created to provide consumers with choice and control over their purchase. At the same time, this freedom must be balanced with thoughtful conversations on how to limit adversaries’ access to vehicle internals.