pwnobd: Offensive Cybersecurity Toolkit for Vulnerability Analysis and Penetration Testing of OBD-II Devices

IF 3.6 3区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Access Pub Date : 2025-07-16 DOI:10.1109/ACCESS.2025.3589867

Roberto Gesteira-Miñarro;Ignacio Gutiérrez;Rafael Palacios;Gregorio López

{"title":"pwnobd: Offensive Cybersecurity Toolkit for Vulnerability Analysis and Penetration Testing of OBD-II Devices","authors":"Roberto Gesteira-Miñarro;Ignacio Gutiérrez;Rafael Palacios;Gregorio López","doi":"10.1109/ACCESS.2025.3589867","DOIUrl":null,"url":null,"abstract":"The research field of vehicle cybersecurity has experienced a significant growth in interest due to the attack surface that the information systems comprising a vehicle provides and the ever-expanding body of regulations that provide special focus on cybersecurity on vehicular systems. Of particular interest is the attack surface exposed by OBD dongles, wireless devices that connect to the vehicle’s diagnostic port, whose access to the vehicle’s CAN buses could potentially be exploited by adversaries. However, acquiring a vehicle for use in the security assessment of these devices may not be possible for the researcher. In this article, we propose a software tool, <monospace>pwnobd</monospace>, that assists in developing proof-of-concept attacks seeking to take advantage of the found vulnerabilities, alongside an architecture for a research and demonstration platform that provides a testbed for vulnerability analysis and penetration testing for attacks towards these devices. A small battery of tests is then performed on several diagnostic devices using this platform, along with a focused study on one such device, proving the potential benefit of such platform for security researchers.","PeriodicalId":13079,"journal":{"name":"IEEE Access","volume":"13 ","pages":"126925-126934"},"PeriodicalIF":3.6000,"publicationDate":"2025-07-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11082116","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Access","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/11082116/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The research field of vehicle cybersecurity has experienced a significant growth in interest due to the attack surface that the information systems comprising a vehicle provides and the ever-expanding body of regulations that provide special focus on cybersecurity on vehicular systems. Of particular interest is the attack surface exposed by OBD dongles, wireless devices that connect to the vehicle’s diagnostic port, whose access to the vehicle’s CAN buses could potentially be exploited by adversaries. However, acquiring a vehicle for use in the security assessment of these devices may not be possible for the researcher. In this article, we propose a software tool, pwnobd, that assists in developing proof-of-concept attacks seeking to take advantage of the found vulnerabilities, alongside an architecture for a research and demonstration platform that provides a testbed for vulnerability analysis and penetration testing for attacks towards these devices. A small battery of tests is then performed on several diagnostic devices using this platform, along with a focused study on one such device, proving the potential benefit of such platform for security researchers.

查看原文本刊更多论文

用于OBD-II设备漏洞分析和渗透测试的攻击性网络安全工具包

由于包含车辆的信息系统提供的攻击面以及不断扩大的法规体系，车辆网络安全的研究领域经历了显着的增长，这些法规体系特别关注车辆系统的网络安全。特别令人感兴趣的是OBD加密狗暴露的攻击面，连接到车辆诊断端口的无线设备，其对车辆CAN总线的访问可能被攻击者利用。然而，对于研究人员来说，获得用于这些设备安全评估的车辆可能是不可能的。在本文中，我们提出了一个软件工具pwnobd，它有助于开发概念验证攻击，寻求利用发现的漏洞，以及一个研究和演示平台的体系结构，该平台为针对这些设备的攻击提供了漏洞分析和渗透测试的测试平台。然后在使用该平台的几个诊断设备上进行一组小测试，同时对一个这样的设备进行重点研究，证明该平台对安全研究人员的潜在好处。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Access COMPUTER SCIENCE, INFORMATION SYSTEMSENGIN-ENGINEERING, ELECTRICAL & ELECTRONIC

CiteScore

9.80

自引率

7.70%

发文量

6673

审稿时长

6 weeks

期刊介绍： IEEE Access® is a multidisciplinary, open access (OA), applications-oriented, all-electronic archival journal that continuously presents the results of original research or development across all of IEEE''s fields of interest. IEEE Access will publish articles that are of high interest to readers, original, technically correct, and clearly presented. Supported by author publication charges (APC), its hallmarks are a rapid peer review and publication process with open access to all readers. Unlike IEEE''s traditional Transactions or Journals, reviews are "binary", in that reviewers will either Accept or Reject an article in the form it is submitted in order to achieve rapid turnaround. Especially encouraged are submissions on: Multidisciplinary topics, or applications-oriented articles and negative results that do not fit within the scope of IEEE''s traditional journals. Practical articles discussing new experiments or measurement techniques, interesting solutions to engineering. Development of new or improved fabrication or manufacturing techniques. Reviews or survey articles of new or evolving fields oriented to assist others in understanding the new area.