Third-party add-on devices for remotely monitoring vehicle data are becoming increasingly popular. These devices plug into the On Board Diagnostic port (OBDII or OBD2) \cite{fox-brewster_zubie:_2014}, which has access to the entire CAN bus. They generally use a cellular network protocol such as 4G LTE to communicate data back to a central server, and most importantly, to receive software updates. Because the OBD2 port has direct access to the CAN, the CAN protocol includes no validation, and there is remote updating capability, such a system provides an ideal attack vector and opens up the possibility to compromise all essential vehicle functions.

An actual example of such an attack was demonstrated first by Argus Cyber Security \cite{fox-brewster_zubie:_2014}. The team showed how a device meant for gathering safety data, called Zubie, could be compromised with a man in the middle attack, enabling an attacker to load arbitrary code. The attack relied on the fact the device did not use HTTPS, instead using the insecure HTTP, and that software updates to the device were not digitally signed (Ofir and Kapota 2014). The authors harnessed this vulnerability by setting up a malicious base station pretending to be the update server that would intercept a cellular signal from the device; they were then able to load their own code and effectively take control of the device. A similar attack was performed several months later by a different team on a monitoring dongle called SnapShot issued by Progressive Insurance. This dongle is installed in over two million vehicles, and according to the author\cite{fox-brewster_hacker_2015}:

The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies. . . basically it uses no security technologies whatsoever.

With both the SnapShot and Zubie, the primary asset to be protected is access to the CAN bus. If the CAN bus is compromised, almost any action can be taken upon the vehicle, including engine and braking control; such a breach directly compromises driver safety. A secondary asset is private information. An attacker could passively monitor all vehicle information and collect that information remotely using the compromised dongle as a server, which could expose personal information about the driver. These assets are primarily threatened by malicious actors performing man in the middle attacks on unsecured add-on devices. The risk to driver safety is likely to only increase with time, as more vehicles make use of such devices, and given the how much control an attacker is given by such an attack, the potential damage is substantial; however, because the man in the middle attack requires considerable resources to implement, and because of the great diversity in CAN protocols between vehicle makes and models, the risk is somewhat lowered.

Fortunately, there are simple and well-tested protocols to avoid man in the middle attacks. Both examples exploited a complete lack of authentication and encryption; further details are described earlier in this subsection and in the literature \cite{bin_key_2013}\cite{kyusuk_practical_2014}. The main challenge will be ensuring that all such devices implement these basic security procedures as they continue to proliferate in a market the rewards quick product turnaround and as much cost-cutting during development as possible. Given how widely used SnapShot is, and the resources behind the company responsible for it, it seems likely that devices produced by even smaller and less regulated manufacturers will continue to be vulnerable for some time.