On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle

April 2016 • White Paper

Dan J. Klinedinst, Christopher King

This report describes cybersecurity risks and vulnerabilities in modern connected vehicles.

Publisher:

CERT Division

Subjects

Security VulnerabilitiesSecurity Vulnerabilities

Abstract

The Department of Homeland Security’s US-CERT tasked the CERT Coordination Center (CERT/CC) at Carnegie Mellon University’s Software Engineering Institute (SEI) to study aftermarket on-board diagnostic (OBD-II) devices to understand the cybersecurity impact to consumers and the public.

The CERT/CC analyzed a representative sample of devices for vulnerabilities and found widespread failure to apply basic security principles. If these devices are compromised, the potential impact may include loss of privacy, vehicle performance degradation or failure, and potential injury.

The CERT/CC hopes this research will better inform consumers, enterprise fleet managers, insurance companies, and policy makers about the potential risks of these devices. The OBD-II port was created to provide consumers with choice and control over their purchase. At the same time, this freedom must be balanced with thoughtful conversations on how to limit adversaries’ access to vehicle internals.

This report describes the team's findings.

Software Engineering Institute