Man-in-the-OBD: A modular, protocol agnostic firewall for automotive dongles to enhance privacy and security

Third-party dongles for cars, e.g. from insurance companies, can extract sensitive data and even send commands to the car via the standardized OBD-II interface. Due to the lack of message authentication mechanisms, this leads to major security vulnerabilities for example regarding the connection with malicious devices. Therefore, we apply a modular, protocol-independent firewall approach by placing a man-in-the-middle between the third-party dongle and the car's OBD-II interface. With this privileged network position, we demonstrate how the data flow accessible through the OBD-II interface can be modified or restricted. We can modify the messages contents or delay the arrival of messages by using our fine-granular configurable rewriting rules, specifically designed to work protocol agnostic. We have implemented our modular approach for a configurable firewall at the OBD-II interface and successfully tested it against third-party dongles available on the market. Thus, our approach enables a security layer to enhance automotive privacy and security of dongle users, which is of high relevance due to missing message authentications on the level of the electronic control units.