What does the HEX-NET password actually protect?

[jphughan]

I see the recommendation in the HEX-NET FAQ to change the VCDS-Mobile password, but I don't really see what that adds in terms of security. Even after changing the password to a non-default value, I can still use the HEX-NET from VCDS (desktop) without knowing its password, even if I connect to it over the network rather than USB. And at that point I can do almost everything that can be done within VCDS-Mobile. The only things I can see in VCDS-Mobile that can't be done in VCDS are:

• View Saved Files (are these sensitive?)
• Setting Debug Level (changing that doesn't seem like a security risk)
• Low Power Config (same as above)
• Remote Control (not even sure what this is)
• Change Password, Clear Dataset Cache and Clear Rod Files (all can be done from the physical button. Even if an attacker doesn't have physical access, clearing cache and rod files doesn't seem like a security risk, and changing the password is only a security risk if the password is protecting something worthwhile.)

So what is the envisioned threat model that the VCDS-Mobile password is designed to protect against? The only scenario I can think of is somebody who kept a HEX-NET plugged into their car full-time. In that case, if the HEX-NET had no password, an attacker could connect to it over WiFi and then use VCDS-Mobile to do strange things to the victim's car, whereas this would not be possible with a VCDS-Mobile password. But the problem is that any reasonably determined attacker could simply download VCDS desktop, which is freely and easily obtainable on the Ross-Tech site, and then they would be able to do those things through the HEX-NET even without knowing its password.

If security is a real concern here, then the HEX-NET should require VCDS desktop to provide its password whenever connecting to it over the network. Or at a minimum, there should be an OPTION within VCDS-Mobile to make the HEX-NET operate this way. In that case, if the user selects NET mode in VCDS desktop and clicks TEST to connect to a HEX-NET that has this option enabled, VCDS will prompt for the HEX-NET's password, and the test will only succeed if the password is correct. (Maybe VCDS desktop could optionally store passwords for HEX-NETs by serial number for convenience.) Skipping the password prompt for USB connections would be reasonable, since in that case the user has physical access and could therefore reset the password anyway. But if VCDS desktop can use a HEX-NET over the network with no password, then protecting VCDS-Mobile doesn't seem to deliver much of a security benefit.

 

[Uwe]

So what is the envisioned threat model that the VCDS-Mobile password is designed to protect against? The only scenario I can think of is somebody who kept a HEX-NET plugged into their car full-time. In that case, if the HEX-NET had no password, an attacker could connect to it over WiFi and then use VCDS-Mobile to do strange things to the victim's car, whereas this would not be possible with a VCDS-Mobile password.

Correct. It prevents someone happening by with the phone that we all carry these days, seeing it, and accessing it directly.

It also serves a secondary purpose, keeping someone from barging in on ("stealing") your VCDS-Mobile session unless they know your password.

But the problem is that any reasonably determined attacker could simply download VCDS desktop, which is freely and easily obtainable on the Ross-Tech site, and then they would be able to do those things through the HEX-NET even without knowing its password.

True, this is possible for a "determined attacker" who knows that a HEX-NET is.

Think of it like the locks on your house. A "determined attacker" can defeat them without much trouble. Like those locks, the password on VCDS-Mobile keeps honest (but curious) people with nothing more than the phone that everyone has on them out of VCDS-Mobile. Using VCDS "desktop" requires a PC and I don't know of a whole lot of people who carry one of those around in their pocket.

Of course there's another thing you can do to keep people out of your HEX-NET if you leave it permanently connected: Configure low-power sleep mode and verify it's working as expected.

-Uwe-

 

[jphughan]

Thanks for the reply, Uwe. Fair enough on keeping honest people honest without blocking more determined attackers (or pranksters). I work in IT, so I'm more inclined than average to look at things from a cybersecurity angle. I would still suggest that an option to have the HEX-NET require its password when connecting to it from VCDS desktop over NET would be worth implementing at some point, but I understand that there are other mitigations and that engineering and development time is a finite resource. Thanks again!

 

[jphughan]

One quick follow-up: What is the "Remote Control" feature? There's no explanation on the VCDS-Mobile page. Is that for Ross-Tech employees to access the HEX-NET during a support case or something?

 

[Uwe]

What is the "Remote Control" feature?

It it is something that was planned but hasn't been implemented.

-Uwe-