Assessing Cybersecurity Risks of Vehicle Accessories: From Wireless Connectivity to Firmware

The research team propose to conduct comprehensive penetration testing on various emerging vehicle accessories. For example, since 2019, the Federal Motor Carrier Safety Administration (FMCSA) has mandated the use of electronic logging devices (ELDs) for most commercial motor vehicle drivers in the United States. These devices are designed to monitor hours of service (HOS) to reduce fatigue-related accidents. Additionally, OBD-II dongles provide diagnostic capabilities for drivers, repair technicians, and insurance companies. Other examples include dash cameras, vehicle health monitors, and infotainment adapters. Recent research including that of the research team has shown that accessories (e.g., ELD, and CarPlay adapter) can serve as attack vectors for compromising vehicle systems. Given that modern vehicles are safety-critical systems, vulnerabilities in these accessories may pose serious real-world risks. More specifically, these accessories typically operate via wireless connections to smartphones, allowing users to manage device settings and monitor performance through companion apps. As a result, vulnerabilities may exist across three components: (1) wireless connectivity (e.g., Bluetooth), (2) mobile applications, and (3) device firmware. As a result, the research team proposes to conduct a comprehensive penetration test on these in-vehicle accessories to reveal any potential vulnerabilities. First, the research team will examine the wireless connection between accessories and smartphones, the initial point of interaction. If unsecured, this connection could be exploited by an attacker to gain unauthorized access and control. The research team's prior work on OBD-II dongles has shown that many of these devices lack authentication, allowing attackers to connect even while a driver is actively using them. The research team will assess whether similar vulnerabilities are present in other types of accessories. Next, the team will reverse engineer the companion applications. Building on its earlier work, which revealed CAN command embedded in app code, the research team will extend its analysis to additional accessories. CAN commands are powerful; they can be used to perform operations such as unlocking doors or activating turn signals. Moreover, these apps may store sensitive data, especially in the case of ELDs, which require user authentication to track driver identity and activity. The research team will develop an automated framework that can extract and analyze relevant data from applications, regardless of devices. Finally, the research team will collect and analyze firmware from these accessories to identify embedded security flaws. The research team will create a methodology to automate vulnerability detection, using techniques such as fuzzing, symbolic execution, and fingerprinting. If the firmware uses outdated or vulnerable open-source components, these could be inherited flaws that present systemic risks.

• Record URL:
  • https://utc.engineering.osu.edu/assessing-cybersecurity-risks-vehicle-accessories-wireless-connectivity-firm-ware

Language

• English

Project

• Status: Active
• Funding: $105,304.00
• Contract Numbers:

  69A3552348327

• Sponsor Organizations:

  Office of the Assistant Secretary for Research and Technology

  University Transportation Centers Program
  Department of Transportation
  Washington, DC  United States  20590
• Managing Organizations:

  Center for Automated Vehicle Research with Multimodal Assured Navigation

  Ohio State University
  Columbus, OH  United States  43210
• Project Managers:

  Ghasemi, Hamid

• Performing Organizations:

  Ohio State University

  Columbus, OH  United States 
• Principal Investigators:

  Lin, Zhiqiang

• Start Date: 20260101
• Expected Completion Date: 20260831
• Actual Completion Date: 0
• USDOT Program: University Transportation Centers

Subject/Index Terms

• TRT Terms: Computer security; Data recorders; Mobile applications; Risk assessment; Smartphones; Vehicle accessories; Vehicle to everything communications; Wireless communication systems
• Subject Areas: Data and Information Technology; Highways; Security and Emergencies; Vehicles and Equipment;

Filing Info

• Accession Number: 01981608
• Record Type: Research project
• Source Agency: Center for Automated Vehicle Research with Multimodal Assured Navigation
• Contract Numbers: 69A3552348327
• Files: UTC, RIP
• Created Date: Mar 2 2026 7:17PM