Unprotected WiFi access & Unencrypted data transfer in Vgate iCar2 OBD2 Dongle

Project Description

The Vgate iCar 2 Wi-Fi OBD2 dongle opens an unprotected wireless LAN. This enables an attacker to connect to the network and read information (e.g. from the CAN bus of the car) in cleartext. The network port on the dongle, which is expecting commands, lacks an authentication mechanism. Therefore, an attacker can also send arbitrary commands via all reachable devices on the CAN bus segment to the connected car.

Vendor description

“Based in Shenzhen, China, Vgate Technology.co ltd. specializes in the development, design and manufacture of diagnostic equipment, tools and accessories in the automotive aftermarket industry. We offers a selective range of products from automotive diagnostic tools including code readers and scan tools, to test and inspection equipment such as sensor testers and battery testers. Aside from the above, we also carry garage equipment like infrared paint dryers and pipe expanders, and automotive diagnostic accessories such as OBD diagnostic cable assemblies, SAE J1962 connectors, and vehicle to PC (or PDA) interface adapters (VAG-COM interfaces). Though the company is young in age, we are strong in experiences in that all of  our major engineers have extensive R&D experience in the automotive aftermarket technology. With the combination of our experienced and distinguished specialists, low-cost manufacturing and exceptional customer service, M.B is able to become the supplier of choice who delivers high quality products, user-friendly designs and most competitive prices to both professional and amateur (or DIYers) automotive technicians. We are proud of ourselves in providing cost effective, timely and innovative solutions with a first class service.”

Source: http://www.vgate.com.cn/en/Aboutus.html

Business recommendation

By using the vulnerabilities which are documented in this advisory an attacker can easily send arbitrary messages to the automotive communication bus (CAN/FlexRay/…) of the car electronics and potentially take over safety-critical car functions.

The vendor told SEC Consult in a phone call that our identified security issues are common practice for such hardware and therefore will not be fixed!

SEC Consult recommends not to use this product until a thorough security review has been performed by security professionals and all identified issues have been resolved.

Vulnerability overview/description

1) Unprotected WiFi Access (CVE-2018-11476)

The dongle opens an unprotected wireless LAN which cannot be configured with an encryption / password. This enables anyone within the range of the WLAN to connect to the network without authentication.

2) Unencrypted Data Transfer (CVE-2018-11477)

The data packets which are sent between the App and the OBD dongle are not encrypted. The combination of this vulnerability with the lack of a wireless network protection exposes all transferred car data to the public.

3) Unauthenticated Access to On-board Diagnostics (OBD) (CVE-2018-11478)

The OBD port is used to receive measurement data and debug information from the car. This on-board diagnostics can also be used to send commands to the car which is different for every vendor / car product line / car.

The mentioned features are usually needed for maintenance purposes but can be abused by attackers. This is possible because the OBD interface is directly accessible through port 35000 on the (unprotected) wireless access point of the OBD device.

Because of the fact that it is never intended that other people have access to the data bus (e.g. CAN) of your car while you are driving, this vulnerability is seen as highly critical and a safety-critical threat to the public.

Proof of concept

Detailed of proof of concepts have been removed as the vendor did not provide a patch.

1) Unprotected WiFi Access (CVE-2018-11476)

The unprotected wireless LAN is named “V-LINK”. To create it, the “Fn-Link (6110R-IF)” is used. It acts as wireless UART bridge to hand over the commands of the App to the ELM327 compatible “iCar-2” chip.

2) Unencrypted Data Transfer (CVE-2018-11477)

All commands starting with “AT” and the “0100”/”0120″ are strings which were sent from the App to the OBD Dongle. The “X” character is a wildcard for an arbitrary hexadecimal value and is used to anonymize car data in responses for this advisory.

The following plain-text correspondence was recorded with wireshark during a test-drive:

  ELM327 v2.1 
  OBDII to RS232 Interpreter 
  ELM327 v2.1 
  AUTO, ISO 15765-4 (CAN 11/500)

3) Unauthenticated Access to On-board Diagnostics (OBD) (CVE-2018-11478)

a) Read access on port 35000 to the on-board diagnostics:

  • E.g. by sending the command “090X” vehicle information can be requested
  • By sending the command “AT RV” the battery voltage can be requested
  • The command “AT PPS” prints out the programmable parameter summary

b) Write access to the onboard diagnostics:

It was also possible to send commands to manipulate the CAN bus via WIFI. A Nissan car has been tested for this, proof of concept information has been removed.

Vulnerable / tested versions

Vgate iCar 2 Wi-Fi OBD2 Dongle

Based on an Amazon search a broad range of OBD2 dongles are just rebranded and may contain the same hardware. Some vendor names for the same device are:

  • iCarsoft
  • […]

Vendor contact timeline

2018-04-25:Contacting vendor through support@vgate.com; No response.
2018-05-07:Telephone call with CNCERT: No coordination for products.
2018-05-08:Telephone call with vendor: Vendor do not consider the issues as problematic, will not be fixed
2018-05-25:Requested CVE numbers.
2018-05-29:Release of security advisory


The vendor does not provide a fix and hence this product should not be used, especially while driving the car.



Advisory URL




EOF T. Weber / @2018

Project Details

  • TitleUnprotected WiFi access & Unencrypted data transfer
  • ProductVgate iCar 2 WiFi OBD2 Dongle
  • Vulnerable versionVgate iCar 2 WiFi OBD2 Dongle
  • Fixed version-
  • CVE numberCVE-2018-11476, CVE-2018-11477, CVE-2018-11478
  • ImpactCritical
  • Homepagehttp://www.vgate.com.cn
  • Found2018-04-24
  • ByT. Weber (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!



To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog