CVE-2019-12797
📋 TL;DR
This vulnerability affects clone ELM327 OBD2 Bluetooth devices that use a hardcoded PIN (typically '1234' or '0000'), allowing attackers to pair with the device without authentication. Once connected, attackers can send arbitrary commands to the vehicle's OBD-II bus, potentially affecting critical vehicle systems. This impacts users of counterfeit ELM327 OBD2 Bluetooth adapters connected to their vehicles.
💻 Affected Systems
- Clone/counterfeit ELM327 OBD2 Bluetooth adapters
📦 What is this software?
Elm27 Firmware by Elmelectronics
⚠️ Risk & Real-World Impact
Worst Case
An attacker could send malicious commands to the vehicle's OBD-II bus, potentially disabling safety systems (like ABS or airbags), manipulating engine controls, or accessing sensitive vehicle data while the vehicle is in operation.
Likely Case
Attackers within Bluetooth range could connect to the device, read vehicle diagnostic data, clear error codes, or send basic commands that might affect vehicle performance or trigger warning lights.
If Mitigated
With proper controls like using genuine devices with secure authentication, the risk is limited to physical proximity attacks requiring Bluetooth access to the specific vehicle.
🎯 Exploit Status
Exploitation requires physical proximity (Bluetooth range) to the vehicle. Attack tools for OBD-II communication are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: N/A
Restart Required: No
Instructions:
No official patch exists for clone devices. Replace with genuine ELM327 devices from reputable manufacturers that implement proper security controls.
🔧 Temporary Workarounds
Disable Bluetooth when not in use
allTurn off the OBD2 adapter's Bluetooth or disconnect it from the vehicle when not actively using diagnostic tools
Use wired connection
allSwitch to a wired OBD2 adapter instead of Bluetooth to eliminate wireless attack surface
🧯 If You Can't Patch
- Replace vulnerable clone devices with genuine ELM327 devices from authorized manufacturers
- Implement physical security measures to prevent unauthorized access to the vehicle's OBD2 port
🔍 How to Verify
Check if Vulnerable:
Attempt to pair with the device using common hardcoded PINs like '1234', '0000', '1111', or '6789'. If pairing succeeds without user interaction, the device is vulnerable.Check Version:
N/A - This is a hardware/firmware issue, not a software version issueVerify Fix Applied:
Verify the device requires a unique, non-default PIN for pairing that cannot be bypassed with common hardcoded values.📡 Detection & Monitoring
Log Indicators:
- Unexpected Bluetooth pairing attempts to OBD2 device
- Multiple failed authentication attempts followed by successful connection
Network Indicators:
- Bluetooth connections to OBD2 device from unknown MAC addresses
- OBD2 command traffic from unauthorized devices
SIEM Query:
N/A - This is primarily a physical/Bluetooth security issue rather than network-based🔗 References
- https://www.kth.se/polopoly_fs/1.914060.1561621279%21/Ludvig%20and%20Daniel_final_dongles.pdf
- https://www.kth.se/polopoly_fs/1.917488.1564430206%21/elm327.pdf
- https://www.kth.se/polopoly_fs/1.914060.1561621279%21/Ludvig%20and%20Daniel_final_dongles.pdf
- https://www.kth.se/polopoly_fs/1.917488.1564430206%21/elm327.pdf
