Insurance Company Dongles Don't Offer Much Assurance Against Hacking

According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle: It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. ... He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies basically it uses no security technologies whatsoever.”

Is it really a surprise?

[the_B0fh]

That most people don't give a damn about security "because it is hard"?

Re:Is it really a surprise?

[rudy_wayne]

That most people don't give a damn about security "because it is hard"?

Actually, security is not hard. But, security done properly requires you to commit substantial resources -- people, time, money. And that cuts into profits, so most most companies are not interested.

Re:Is it really a surprise?

[Culture20]

Some companies will happily spend money and people on the security problem, but individual people within the company refuse the spend the time, using workarounds to skip having to deal with security. Sometimes this means using the computing resources nonsecurely, but other times it means avoiding using the computing resources.

Re:Is it really a surprise?

[Darinbob]

Adding security features gets in the way of the primary goal, which is to sell the product to unsuspecting companies.

Re: Is it really a surprise?

Why can't you just go with the Flo?

Re:Is it really a surprise?

It's a question of "maximizing shareholder value". Certain states even have a legal requirement that executives take every effort at their disposal to do so. As such, is it that surprising that businesses will roll the dice on such security scenarios that require stars to align in just the right ways to be exploitable, and yet still requires that the person involved intends on doing harm to unknown and unforeseen numbers of people because they adopt the attitude of "eh, fuck 'em"?

Re:Is it really a surprise?

It's not hard if you understand what's going on, what the drawbacks and benefits are, and so on. It does require a little thought, and eg. one of the first things you get presented in crypto class is the idea of a "threat model", ie. the notional powers an attacker has in the face of which your systems should still remain secure. This makes it clear what's going on and gives clear practical leads on how to go about it.

None of that is prevalent pretty much anywhere in applied and industrial computing. In fact, not even the computer security industry is clear about any of this. What you get instead is (deliberately) confusing and confused(!) talk about "hackers"* that are supposedly discernible by their hat colour, but mention any of that and you end up with a quagmire of bickering and arguing. This too is the s'kiddies* on both sides of the law being part of prolonging the problem. It's a good racket for them, but it does mean that the industries incorporating computing devices are not acquiring the right mindset to pick up the work of security the systems. It's all rather expensive play incurring large costs spent on shady characters for little discernible benefit. It's very hard to take seriously even if everyone in the computer security industry habitually shouts at everyone else to get their security act up (and pay them, of course). Again, it's a good racket, but it isn't buying the buyers anything of justifyable value.

* There really are no "hackers" of original definition, as in people of great creativity with technology, to be found in the computer security industry anywhere. Instead we have one trick ponies that keep on "discovering" flaws that all fit a few well-established patterns, and make very loud scary noises every time they find such a thing. From an outsider's perspective, even the supposedly white hats border on blackmail by default. IOW, low standards and shady practises are everywhere in the computer security racket.

Re:Is it really a surprise?

[tibit]

It's not hard, it's simply not part of the usual product specs. The device is supposed to do stuff, that's the primary thrust when doing the development. The mindset of the entire industry must change before we start expecting things to be secure but otherwise buggy first, not - as it is now - functionally perfect but insecure.

Re:Is it really a surprise?

[mysidia]

other times it means avoiding using the computing resources.

Or using different resources... such as Dropbox for file sharing, instead of file server and VPN client.

Re:Is it really a surprise?

[mlts]

Even more ironic, proper security isn't really that hard or expensive. Most of the tools are already sitting there ready to be used, and tools like SolarWinds, Splunk, and adding IDS/IPS functionality to network devices is not budget busting. Heck, just SCOM alerts about the attempts at brute-forcing domain users sent to the right people's email would have stopped the Sony attack in its tracks.

Spoofing!

I've long thought there could be a really lucrative market for OBD2 spoofers. Instead of plugging the dongle directly into your car, plug it into a middle-man that feeds it the "happiest" possible data to make it think your driving is perfect. There is no authentication in the OBD2 protocol so there is no way for the dongle to tell the difference between a real OBD2 data feed and a spoofed one.

Re:Spoofing!

I've long thought there could be a really lucrative market for OBD2 spoofers.

Okay, so there's a market for insurance fraud hardware devices? Are you planning to sell these on this week's reboot of the Silk Road?

BTW, there's better money to be made if you're willing to commit fraud or other felonies. I say skip the penny ante bullshit and go for credit card fraud. Most of those people get away with it because the issuing banks don't give a fuck due to sticking the merchants with the costs.

HTH.

Protip: not everything having to do with computers or electronic hardware needs a new "...on a computer" law in order to render it illegal. You may have confused this with the issuance of patents, where the addition of a computer algorithm is always considered a groundshaking breakthrough and worthy of allowing someone to rent seek over real innovators. No worries, this is a common misunderstanding. Have a nice day!

Re:Spoofing!

[msauve]

I'd think there'd also be money to be made with something similar which produced good readiness values whenever polled by the inspection station (in locations which require that).

Re:Spoofing!

Better idea...how about we don't participate in this obvious scheme to spy on us via our cars under the guise of monetary savings.

Re:Spoofing!

These types of devices do not really use any of the data off of the ODB2 port.
Power and Ignition sense.
[I worked with them for 7 years]

Re:Spoofing!

I am a software developer and I considered doing this, but it's insurance fraud and it's not worth the risk. I only pay $1200/year for car insurance, it's not worth going to jail so save maybr 20% on that.

Re:Spoofing!

[mjwx]

I'd think there'd also be money to be made with something similar which produced good readiness values whenever polled by the inspection station (in locations which require that).

This is the reason MOT tests still require the mechanic to look at the car instead of trusting the computer readouts.

Re:Spoofing!

[wiredlogic]

Some are GPS enabled now which allows cross-correlation with the speedometer and internal accelerometer readings to detect fraud. Granted, you could cage the dongle and let them think it couldn't get a GPS fix from its position under the dash. A spoofer would also need it's own accelerometer to generate believable data under acceleration and braking.

Re:Spoofing!

[msauve]

So, how can you tell by simply looking whether the catalytic converter is working properly?

Re:Spoofing!

[kilodelta]

I've had the exact same thought. Only the way I thought of it - find the safest driver you know and just plug the device into their car. A low tech solution for a high tech problem.

Re:Spoofing!

[kilodelta]

The whole thing about fraud against a corporate entity makes me a little bit angry. Who the fuck do those corporations think they are anyhow?

Re:Spoofing!

[turbidostato]

"So, how can you tell by simply looking whether the catalytic converter is working properly?"

A "mechanic to look" is not just "simply looking". By measuring gases at the exhaust pipe you can know about the catalytic converter's health.

Re:Spoofing!

I bought a junk yard engine for my truck, it came with the entire wiring harness and the ECU. Why not power up the ECU on a test bench and work the sensors and have the dongle plugged into that?

Perfect driver every time.

Re:Spoofing!

[AK+Marc]

I've seen cars tuned to pass emissions with the cat removed. They ran like shit, but you could make them run long enough to "fool" the required tests. It's also not illegal to fool the tests. You can tune a car for the test, test it, then modify it (or swap out "illegal" parts for "legal" ones, test, then put them back). I had that "officially" recommended to me when my mod passed emissions, but didn't pass the visual test. The visual test is performed by Alaska to verify any modifications are approved by California, and is unrelated to the performance of the parts. If you can pass the emissions test, you'll fail if your part makers didn't pay the CARB tax.

Re:Spoofing!

[ISoldat53]

I would love to put one of these on a NASCAR car and watch Flo have a stroke.

Re:Spoofing!

[mjwx]

So, how can you tell by simply looking whether the catalytic converter is working properly?

I expected you to be able to figure out that "look" meant running actual manual diagnostics rather than simply trusting the computer.

My only mistake here was underestimating how stupid you were.

Re:Spoofing!

[epyT-R]

savings which will evaporate when the spying is mandated by insurance companies and the law. Insurance is the new slavery.

Re:Spoofing!

[cheater512]

The GPS module is (usually) just sending NMEA serial data. Splice the line and you don't need a faraday cage and complicated spoofer.

Re:Spoofing!

That won't work if they check your speedometer and compare it against what the dongle records. Many states record the mileage during the yearly inspection and report that number to the insurance company (Massachusetts and Nevada are two that I have personal experience with).

Re:Spoofing!

[jrumney]

By measuring the actual emissions using regularly calibrated test equipment (not blindly trusting what the car's uncalibrated sensors are telling you). The visual inspection is to ensure that the emissions are not also coming out from other places they shouldn't be.

Re:Spoofing!

> Okay, so there's a market for insurance fraud hardware devices?

You are right. In the real world everybody is a goody-two-shoes and nobody ever tries to manipulate the system. That's why nobody bothers with passwords, no one wastes time locking their front door and GPS spoofers don't exist. How stupid of me to identify an obvious flaw in the system!!

Re:Spoofing!

[Lumpy]

It is trivial. I can build one with an arduino in 10 minutes. Build one that sits in between so that all the good data is there but it limits the data to acceptable levels so it all looks legit.

Re:Spoofing!

I've long thought there could be a really lucrative market for OBD2 spoofers. Instead of plugging the dongle directly into your car, plug it into a middle-man that feeds it the "happiest" possible data to make it think your driving is perfect. There is no authentication in the OBD2 protocol so there is no way for the dongle to tell the difference between a real OBD2 data feed and a spoofed one.

As if they wouldn't figure it out when the acceleration, speed, and other data didn't match up with the GPS data (which is coming from onboard the dongle itself). *rolls eyes*

Re:Spoofing!

[Lumpy]

you can buy a bottle that you add to your gas tank that will pass a tailpipe test.

Re:Spoofing!

I'd rather just stroke Flo.

Re:Spoofing!

I'm pretty sure they verify the VIN.

Re:Spoofing!

I'd rather just stroke Flo.

To each their own. No doubt others would go to see Flo put on a Tijuana-type show with Maxwell the Geico pig.

Re:Spoofing!

[msauve]

No you can't, not completely. Why do you think OBD monitoring is required, if everything can be checked through simple inspection?

Re: Spoofing!

Because it makes it quicker and easier.

Re:Spoofing!

[the_B0fh]

How stereotypically Slashdot of you to presume that you discovered a trivially exploited "obvious flaw" in a system that somehow the engineers who designed the system weren't able to perceive or address.

Did I miss something, or isn't the article itself saying that the idiots who designed the system did not perceive nor address the issue?

Re:Spoofing!

[drkstr1]

TTWTF is that this is the 20th century thinking that makes such an act illegal (or even considered to be immoral). Insurance companies should be free to price their policies in any manor of their choosing, and we the people should be free to share and spread information to subvert their dirty tricks. Capitalism (as it is practiced) is not suited for the 21st century. It's time for a new economic structure, condusive to an open and free market place of ideas. 20th century thinking needs to die.

Re:Spoofing!

[AK+Marc]

yeah, it's called "gasoline".

And they don't work. If you are running rich, you need an oxygenation. If you are running lean, you need an octane booster. They are nearly opposite, so you don't get both in one. So you need to know the problem before you toss in an additive.

Re:Spoofing!

[danlip]

You think it's possible to implement a "new economic structure" that doesn't favor those with wealth and power more that the current one? The only people interested in a level playing field are those not at the top.

Re:Spoofing!

you realize this article was about how incompetent the dongle makers were.

so i doubt they are doing that.

Re:Spoofing!

[Attila+Dimedici]

Define this new economic structure and we can discuss its possible merits as well as its possible flaws. So far, every one of the "new economic structures" I have seen proposed are actually recycled versions of old economic structures which failed. Your ideas may be different, but until you tell us what they are, we cannot know.

My experience is that most of the problems with our current system are a result of things implemented in the name of "a new economic structure". Things which just made the problems they claimed to be designed to fix worse.

Re:Spoofing!

[mjwx]

No you can't, not completely.

Actually you can. Simple off the shelf units like this one measures all the gasses MOT test for. You dont exactly need a mass spectrometer to get an accurate CO2 reading.

Why do you think OBD monitoring is required,

Its not. Why do you think it's required or better yet, why do you think it's accurate?

if everything can be checked through simple inspection?

The MOT test is not a simple inspection. Its not the 14 point inspection the tyre shop uses to entice gullible people in so they can up sell you on crap you dont need. It test all the essential components of the vehicle from the lighting to the steering to rust on the body.

Re:Spoofing!

[MrKaos]

The whole thing about fraud against a corporate entity makes me a little bit angry. Who the fuck do those corporations think they are anyhow?

They're the entity you need to send the money you worked for to, because it's theirs. Now shut up and send more money.

Re:Spoofing!

[toddestan]

How? I don't know of a way to get the VIN through the ODB2 port, though such a capability wouldn't surprise me terribly with the newest cars. They could try to infer whether the data is consistent with the model of car that's being insured through some of the metrics such as fuel usage. Though the biggest problem would be the GPS showing the car being parked at a place you don't live at, and being driven to a workplace you don't work at.

Re:Spoofing!

[pete6677]

With insurance panda?

Re:Spoofing!

[sjames]

OTOH, in the VCR days there was a thriving market in video stabilizers "for the clearest possible picture".

Naturally, the OBDII simulator would be for people who want to develop their own interface devices.

Re:Spoofing!

People I know in California (and I guess other states that model off of them) just consider it a ritual to unbolt their high-performance exhausts and put the OEM or CARB-approved ones back on for inspection purposes. For a lot of cars its just a 20 minute job.

In looser states that only do an OBD-II emissions readiness test, you can purchase O2 sensor spacers that cause the O2 sensors to get a "better" reading and pass readiness. There is also a version of these spacers that include some catalyst material in them to help. All of this could be done in software, but the companies that distribute the tuning software don't want to run into possible legal trouble by defeating readiness in their modified engine software.

Re:Spoofing!

[sjames]

Actually, they do exactly that for cars built before OBDII. The car goes on a dynamometer and a probe goes in the tailpipe. The tester then runs the car through a standardized set of speeds and durations while the exhaust is measured.

Reading out the OBD is much faster and legislators probably can't even imagine spoofing the data.

Re: Spoofing!

I had cars pass that test because the exhaust system leaked. Just saying.

Re:Spoofing!

[KingMotley]

Perhaps it was perceived, but they determined that the market of people willing to face fines and possible imprisonment so that they can save $10 in their insurance wasn't big enough to warrant the expense of building all that extra security in.

Re:Spoofing!

[sjames]

You better watch that talk about spoofing people's dongles. We don't want another scandal.

Re: Spoofing!

Are we now venturing into safe dongling?
You don't want to get a virus!

Re: Spoofing!

What happens if your dongle is not big enough for the port?

Re: Spoofing!

Great way to catch something, plug your dongle into some random person's port!

Re:Spoofing!

[Bing+Tsher+E]

My favored 'New Economic Structure' is 'Every Man For Himself' in a non-aggressive fashion. So if Person X figures out a way to fuck over the Insurance Companies in a way that doesn't hurt other people in any but a theoretical way (i.e. the old 'If Everybody Did That' bullshit) then all power to them.

Re:Spoofing!

[drkstr1]

Simple. Keep capitalism. Make it so ideas and information can't be owned (copyright is OK, but affords no additional protection except for maybe the right to citation to prevent plagerisim aka fraud). In fact, let's just get rid of all the laws except for maybe a few hundred or so. The laws that we keep should be more like commandments (EG though shall not defraud another when entering into a contract). People should not be regulated. Incorporated persons should be regulated only when and if they interfere with the free market (eg. monopoly abuse, fraud, deception, etc). Let the people weed out bad behavior/ideas naturally.

Re:Spoofing!

Forget spoofing. The device is free, right? It contains a pre-paid GPRS radio, and a GPS receiver, right? Free hackable stuff!

Re:Spoofing!

[drkstr1]

Possible, yes. Easy, absolutely not. When has initiating change on a broad scale ever been easy? It is a chore not for the feint of heart, but one that is necessary from time to time.

Re:Spoofing!

[drkstr1]

PS. The merits would be a more level playing field and upward mobility, and quality of life, at the possible expense of economic efficeincy. But I would argue we are in an age where economic efficiency is no longer needed to improve our quality of life, and may even be detrimental to our long term survival as a species.

Re:Spoofing!

The Macrovision "protection" you're talking about corrupted the video signal, degrading quality on all tvs. I knew plenty of people who weren't interested in copying video at all and who just wanted to watch movies they'd legally purchased without the video going in and out and in and out and in and out... There was a perfectly legitimate market for those devices.

Re:Spoofing!

Yeah, but the lack of security means that OTHER people can hack your car for any number of goals. You conning your insurance is a minor threat.

Re:Spoofing!

[sjames]

And there will probably be someone who wants to develop an OBDII interface who will find a simulator helpful.

After all, it's dangerous to debug while driving.

Re:Spoofing!

[camg188]

I can see spoofing the insurance company but what malicious hacks could these dongles do to your car?

Re: Spoofing!

Analog spoofer.

Re:Spoofing!

[TheRaven64]

Just to clarify, your question is:

A device can run arbitrary malicious code and is connected to a physical link to your car, to a system that has physical links to your engine management system, and was not written with security in mind, what's the worst that can happen?

Re:Spoofing!

[TheRaven64]

Macrovision worked by setting the brightness to maximum during the flyback period when the beam is turned off. What kind of device were your friends using where this interfered with the signal? It was a problem for (some) VHS recorders, because they averaged the brightness over the entire frame and didn't ignore the flyback interval, so you ended up with a very dark copy.

Re:Spoofing!

[gl4ss]

it's not the device that makes the fraud.

it's the individual that would put it between the insurance companys dongle and the car that would be making the fraud, but the device itself wouldn't be illegal as such.. it's not doing copyright circumvention or any such thing, so no need to go on silk road to sell it.

certainly it would be 1000 times more legal than ssl interceptors and such which seem pretty popular for corporate/airline networks...

this thing is just that someone realized there was a market for hastily and lazily done surveillance device and found a market in the insurance companies for it. I mean, if they really cared it wouldn't be using the obd in the first place - it would have it's own accelerator and location sensors - which would have made developing the dongle possibly 10 times more expensive than a stupid microchip .

*note: there's already ready made devices that would fit the bill far better than what the insurance companies are using so it's pretty bizarre! of course, the separate thing might be taken out of the car but what's stopping you from putting this in an another car?

Re:Spoofing!

> How stereotypically Slashdot of you to presume that you discovered a trivially exploited "obvious flaw"

I guess that makes you a stereotypical slashdweeb trying to restate what someone else wrote so that you can feel superior. Congrats on living down to the stereotype.

Re:Spoofing!

To be fair, your engine management system should have been designed with security in mind. Therefore it shouldn't matter what dongles are plugged in.

Re:Spoofing!

[TheRaven64]

To be fair, your engine management system should have been designed with security in mind.

Should be? Sure. Is? Absolutely not, in any shipping design.

Re:Spoofing!

[msauve]

OBD monitoring may not be require in OZ, but it is federally mandated in the US. It monitors things which would pass a simple tailpipe test. You're obviously unfamiliar with what it does, and unqualified to comment.

Re:Spoofing!

[Attila+Dimedici]

So, basically you are saying that we should go back to the system the Framers of the Constitution envisioned. That is not a "new economic structure". Rather it is a return to one which was dismantled.

Re:Spoofing!

I've long thought there could be a really lucrative market for OBD2 spoofers.

Okay, so there's a market for insurance fraud hardware devices?

Fraud?
Did I ever promise to not do this? Nope. No more fraudulent than leaving the ODB dongle in one car and drive recklessly in the other . . .

Re:Spoofing!

[AmiMoJo]

Those boxes are a scam anyway. They don't understand the type of vehicle they are connected to, and they don't understand the road surface being driven on. A lot of young people are getting them fitted to reduce their premiums, and then finding that because they live in a hilly area and have to push the accelerator to the floor just to maintain 30 MPH in their little 1.0 litre super efficient cars the dongle decides they are accelerating too hard. Poorly maintained roads make the accelerometer go nuts, and the box things you are cornering too hard because you are weaving around the pot-holes.

Re:Spoofing!

[AmiMoJo]

Most people don't want to become insurance experts or hope that their circle of friends is clued up enough to protect them. They would rather that their government, the people who work for them, regulate the insurers to ensure fairness. It's cheaper and easier for everyone.

Re:Spoofing!

[AmiMoJo]

The merits would be a more level playing field and upward mobility, and quality of life

I really doubt that. What will happen is the scammers will get rich, much as they do now but on a much larger scale. It's already possible to sell a complete POS simply by advertising the hell out of it, and removing regulations on advertising would just make the situation worse.

Quality of life will plummet as people get screwed by dodgy healthcare contracts or people polluting their environment. They could sue of course, but who has the money for that? Prices will probably sky-rocket as well, since the moment you get rid of all the regulations and restrictions other countries will raise their tariffs to compensate. Free trade is only possible when the two sides have broadly similar costs. If US workers are cheap because they have no rights or protections, the EU will slap duty on US cars being exported to it so they don't undercut European manufacturers.

Re:Spoofing!

[AmiMoJo]

Not all manufacturers build their cars that. Some have an OBD-II bridge between the port and the main bus that makes the port read only except for a few very specific commands like resetting error codes. That's why if you look at those videos of people hacking a Prius on YouTube they have dismantled the entire dashboard. They had to get to the segmented parts of the bus, the diagnostic port was not enough to screw with anything interesting.

Re:Spoofing!

I don't think the OP necessarily meant brand new, as in "never been tried before", but rather as in different from what we have right now.

Unfortunately, despite the libertarian bleating, the framers of the Constitution did not have any such "economic structure" envisioned. The framers of the Constitution were all about political structure, which, while related, is an entirely different thing.

The framers of the Constitution were all in favor of slavery, voting rights only for property owners, voting and property rights only for men, restricting government taxes and capabilities, and allowing the "tragedy of the commons" (aka the free market system) to provide such things as public transportation (roads), public safety (policing), and public health and sanitation.

The framers of the Constitution, after all, were all rich white men who implemented a system to keep themselves in charge. Unfortunately for them, the bones they threw into the mix to make "equality" seem like a thing they supported, to get the poor and middle class to fight and die for the new system, turned out to be far too accessible, despite what seemed to be extremely difficult hurdles to overcome. So, despite their best intentions, political power has been diluted to "the masses" and such things as the public roads and highway system to provide reliable goods transport, public hospitals to prevent plagues, public police forces to reduce crime, public health and food safety monitoring to insure a safe food and medical supply, public assistance to the poor to prevent starvation and suffering from easily preventable disease, all at the cost of public taxes, have been implemented. In addition, maintaining and increasing the white male domination of wealth, economics, and power now requires an inordinate amount of effort, cost, and uncertainty to maintain the status quo.

So, I guess, a truly new system is needed, or an extremely old system, if a truly egalitarian one that could resist internal corruption and external threat, could be found in history.

Re: Spoofing!

So if some guy figures out a way to fuck you over, then what?

Anarchy is only fun until other people start doing what they want...to you.

Re:Spoofing!

[drkstr1]

No, that is what we get in now in the current hegemony. The i would even say the system we have now in practice was designed so the liars thieves and fraudsters can gain an unfair advantage. This is why income is unnaturally distributed to the top, rather than a nice clean bell curve, as it should be, according to natural law. What I am proposing simply boils down to a change in our priorities. One that puts the persuit of knowledge, truth, and honesty above all else. All of that behavior you describe could easily be weeded out in such a system, as no one would have any exceptional advantage over anoter. The common man is more capable than you give them credit for. Let's create a system designed for them.

Re:Spoofing!

[drkstr1]

I would have much rather your +4 insightful mod gone to the people who actually had an interesting/insightful argument against my own. Meh, just goes to show you why you should always browse at 0. That's where all the good stuff is at ;)

Re:Spoofing!

We should not look to the past for answers to problems of our future.

Re:Spoofing!

[Pascoea]

savings

That's a funny joke. I tried the snapshot. What a fucking joke. Three cars: Me, 20 mile daily rush hour commute. Wife, 15 mile "off peak" daily commute. Daughter, car literally sat in the driveway for the three months, with the exception of 2 trips from Minneapolis to Fargo and an occasional trip to the gas station around the corner. Me: 0% (ok, I expected that.) Wife: 3%, daughter 3%. Seriously? What do you have to do to get their 30%?

Re:Spoofing!

[dave420]

But every single person who files a false insurance claim or pretends to be a better driver than they are is costing everyone else money. Every single one of them. You not being able to tell with a cursory glance doesn't change that...

Re:Spoofing!

Times are changin brotha. You can't take a shit these days without it streaming live to ya instabook

Re:Spoofing!

[0100010001010011]

It would actually be a perfect device for simulating the EPA test cycle. It would be a perfect way to sell it legally. The EPA cycle is "the" test for cars in the US so there are plenty of professionals that would love a tool. Some simulation software starts at $5k/license. (CANalyzer). No one says you have to sell your device with 'encryption' so that the EPA cycle would be replaced with whatever cycle you wanted.

Or you could just do it with a cheap uC board these days. These guys are building a engine EFI controller with a $14 circuit board as the base. Even having to spoof their own messages With an ODB/CAN simulator you could easily

And maybe someone would then finally make a legitimate cheap CAN/ODBBluetooth reader instead of clones of clones or a chip that is ages old to read data as well. USBCAN cables from good vendors start at $500 even though the functionality is built into a lot of new chips.

Re:Spoofing!

The VIN is definitely accessible through the ODB-II port.

Re:Spoofing!

[Bob+the+Super+Hamste]

I don't think I pay $1200 a year to insure all 3 vehicles in my household. It probably cost a little more than $1000, but $1200 a year for a single vehicle seems on the high side of things.

Re:Spoofing!

And they DO work. Watched a friend pass a tailpipe test with it. His truck failed smog test before using it.

After adding the bottle to a 1/4 tank of gas and sloshing the thing around on the way to the place.

Hydrocarbons(HC/PPM)
15mph @1628RPM MAX=127 MEASURED=26
25mph @1562RPM MAX=108 MEASURED=16

Carbon Dioxide(C02/PPM%)
15mph @1628RPM MAX=0.55 MEASURED=0.03
25mph @1562RPM MAX=0.69 MEASURED=0.03

Oxides of Nitrogen(NoX/PPM)
15mph @1628RPM MAX=1031 MEASURED=115
25mph @1562RPM MAX=891 MEASURED=115

Re:Spoofing!

[ripvlan]

StateFarm gave me one that ran on my mobile device (not OBD2) - simply using GPS etc.

So I did a few laps of the track and gave them some data.

Garbage in, garbage out.

Re:Spoofing!

Fraud?
Did I ever promise to not do this? Nope. No more fraudulent than leaving the ODB dongle in one car and drive recklessly in the other . . .

I would love to see you try your semantic argument with the DA while they are deciding whether to bring charges.

"Did I ever promise not to take the store's merchandise after they let me walk in through their door?"

"Did I ever promise not to set my own house on fire in order to collect the insurance payout?"

Herp derp.

Deceiving an insurance company to achieve a lower premium than you would otherwise pay is insurance fraud. Your example of driving recklessly in another car is pointless, because you have to get the car insured as well and it will be obvious you aren't using the dongle in it so that will be taken into account in your rate calculation.

Re:Spoofing!

You sell it as an ODB2 test device. Generates ODB2 datastreams to allow you to test your ODB2 interface device offline.

Re:Spoofing!

You can get the VIN and more. Some cars (GM's) you can even get the data to program a new key to the car.. that's how ADS Idatalink modules work for remote starts on GMs (and other vehicles). There's a lot more data flowing down the ODB-II than most people realize

Re:Spoofing!

[bws111]

Huh? They use their own accelerometers to measure acceleration, so your 'hills' scenario makes no sense.

Do you know what the insurance companies care about? Risk. All they want to know is how likely you are to be in an accident. Therefore, contrary to your suggestion, they ARE taking into account things like the road surface. If you are 'weaving around pot-holes' and driving on poorly maintained roads you ARE more likely to be in an accident.

Re:Spoofing!

[mysidia]

Most people don't want to become insurance experts or hope that their circle of friends is clued up enough to protect them.

If not for government regulation, both explicitly in complicated arcane rules, and implicitly in the form of allowing ludicrous litigation, liability, and protecting unions, then the cost of both replacing the car and providing healthcare would be so low, that a year's worth of auto insurance would cost $100.

Since it would cost about $2500 to buy a brand new SUV, and a week's stay in the hospital with all the medical attention required to address serious injuries from an accident would still be less than $3000. You could save up 4 years worth of premiums and stop buying any insurance..... thus creating a competitive downward pressure on insurance rates!

In other words, regulations created by the government are indirectly raising costs by a factor of 20000%.

Re:Spoofing!

I'd be even more interested in one for the purpose of passing emissions tests... though you wouldn't be able to just plug inline as they 'techs' running the test would notice it.

Re:Spoofing!

> How stereotypically Slashdot of you to presume that you discovered a trivially exploited "obvious flaw"

I guess that makes you a stereotypical slashdweeb trying to restate what someone else wrote so that you can feel superior. Congrats on living down to the stereotype.

Ha, and now you have arrived to fill in the stereotypical Slashdot "meta-snark" role, bringing this to a trifecta.

There you have it, folks: a fractal microcosm of Slashdot in a single thread.

Re:Spoofing!

We should not look to the past for answers to problems of our future.

Yes, I strongly prefer being doomed to repeat history.

Re:Spoofing!

No, you gotta return it after your monitoring period is over.

Re:Spoofing!

After all, it's dangerous to debug while driving.

Ah, then I suggest you consider using an AutoExec Wheelmate Steering Wheel Attachable Work Surface Tray. Over 1,100 reviewers can't be wrong!

Re:Spoofing!

Situations change, and applying historical context to modern day problems does not always work out as one would expect.

Re:Spoofing!

How stupid of me to identify an obvious flaw in the system!!

How stereotypically Slashdot of you to presume that you discovered a trivially exploited "obvious flaw" in a system that somehow the engineers who designed the system weren't able to perceive or address.

For your meritorious service to the community, far beyond the call of duty, I hereby promote you to Admiral Obvious, with all of the rights and privileges thereto.

Damn! Battlefield promotion to Admiral. How special.

Re:Spoofing!

PS. The merits would be a more level playing field and upward mobility, and quality of life, at the possible expense of economic efficeincy. But I would argue we are in an age where economic efficiency is no longer needed to improve our quality of life, and may even be detrimental to our long term survival as a species.

If everybody is rich, then no one is truly rich. There can be no level playing field. Society will not function if everyone is truly equal.

Re:Spoofing!

I've long thought there could be a really lucrative market for OBD2 spoofers. Instead of plugging the dongle directly into your car, plug it into a middle-man that feeds it the "happiest" possible data to make it think your driving is perfect. There is no authentication in the OBD2 protocol so there is no way for the dongle to tell the difference between a real OBD2 data feed and a spoofed one.

Answer this question.
Out of a million drivers, how many would hack the system to defeat the OBD2? Is the number in the tens, hundreds or even up to a thousand? I doubt it.

And with the revenue from OBD2, do you not think that the company may be adding all the extras for the next release?

Hello insurance fraud

[Dan1701]

The most obvious reason for an attack here is to commit insurance fraud. At present, an insurance company is forced to base an insurance premium on all the meta-data they can possibly gather about the prospective client, excepting their sex if they are in the EU (although this may well lead to a quite astonishing number of men called "Sue", if insurance companies attempt to bypass this and link first names to insurance risk).

A data-gathering dongle would seem to offer a much better deal, allowing the company to charge more if the user indulges in risky behaviour of some description.

A possible reason for hacking into the module would therefore be to falsify the data sent back to the company; a boy racer who regularly breaks speed limits, corners absurdly fast and brakes late if at all would gain substantially from a fraudulent data recording which portrayed him as someone with the driving habits of an octogenarian grandmother; such a person might also think that the gamble of sending such phoney data was well worth the savings when set against the fairly low risk of getting caught.

It therefore worries me that companies are this lazy when building such equipment. It really doesn't take all that much to keep out the majority of crackers right from the start, and as the skilled ones are in the minority, taking a little care initially would pay dividends down the line.

Re:Hello insurance fraud

[viperidaenz]

What about hacking the completely unsecured wireless internet connected device connected to the cars diagnostic port and put the traction control system in to diagnostic mode and apply the brakes at in inappropriate time. Wireless assassination!

Re:Hello insurance fraud

Reprogramming most of these GPS devices are not that hard. With Xirgo you can do it with SMS commands, you just need to know the sim phone number.

Re:Hello insurance fraud

[msauve]

Yes, this.

Where's the proof of concept firmware which generates a fake, slightly randomized weekday round trips to work at speeds below the limit, and totally ignores real world driving?

It seems to be mainly the interest of the insurance company to add security, not the user's.

Re:Hello insurance fraud

[BarbaraHudson]

There's a problem with that scheme. The fake dongle says you got from point A to point B in much more time than it took, right? So what happens if, at point B, you're in an accident? The fake dongle won't sent the right data for that, at the right time, and probably witnesses and the other driver will also give the right time (esp. if the other driver has a real dongle).

Also, a car tends to sustain much more damage from a 60 mph impact than a 25 mph impact.

Re:Hello insurance fraud

[Mal-2]

There's a problem with that scheme. The fake dongle says you got from point A to point B in much more time than it took, right? So what happens if, at point B, you're in an accident? The fake dongle won't sent the right data for that, at the right time, and probably witnesses and the other driver will also give the right time (esp. if the other driver has a real dongle).

Also, a car tends to sustain much more damage from a 60 mph impact than a 25 mph impact.

You don't adjust the arrival time at point B, you adjust the departure time from point A.

Re:Hello insurance fraud

[DarkOx]

See the trouble with that is unless he can be sure, that in the event of an accident he is able to remove the device and conceal any evidence of tampering, at the scene he will be awful unhappy when they deny his claim and prosecute him for fraud.

All the fancy computer security aside, they could probably just use one of those stickers that leaves 'void' behind when you pull it off applied by the agent across the device where it meets the ODBII/III connector.

Re:Hello insurance fraud

[BarbaraHudson]

And the excess damage?

Re:Hello insurance fraud

[Joe_Dragon]

so will the agent be there for each Vehicle Emissions testing? each time you go to the dealer or some where for a check engine light?

Be there for an 3rd party oil change
http://www.mudah.my/BMW+OBD+II...

Re:Hello insurance fraud

The brick wall was accelerating rapidly.

Re:Hello insurance fraud

[turbidostato]

"And the excess damage?"

What excess damage? You (the insurance company) have the data, and here is my car. There's no "excess damage", just "damage".

Do you think (the insurance company) that my accident should render less damage? That's not my problem, I'm neither a materials engineer, nor I designed my car.

Do you think I commited fraud? Why do you think so? Maybe because you know your devices are easily hackable? Maybe I should sue you (the insurance company) for puting me at risk for your lack of due diligence.

Re:Hello insurance fraud

[AK+Marc]

You don't expect to get caught. Also, you time your "fake" trips to be well off from your regular routine. The dongle will be sending back "parked in the garage" at the time of the crash. Then you just plug it in and claim it must have malfunctioned. Just because you are too dumb to fool someone else, doesn't mean we all are.

Re:Hello insurance fraud

[silas_moeckel]

Or we can just ban these idiotic things, whats next health insurance companies stapling pedometer's onto people get a lower rate?

Insurance is supposed to be about aggregating risk, the problem is the lower end of the risk pool is paying more then the out of pocket they could expect and leave the pool if they can. Auto insurance is harder to leave you have to drive (if you want to live outside an urban envirnment) and it's not optional.

Re: Hello insurance fraud

Oops. Your dongle broke too. Sorry!

Re:Hello insurance fraud

[sjames]

There would be limits, but it could do things like changing wide open throttle to accelerate to speed in 2 seconds into moderate throttle to come to speed in 4 seconds.

As long as you don't diverge too far from reality, the rest can be explained well enough by inaccuracy in the hardware. In some places GPS gets really inaccurate normally.

I'm not saying it's a good idea, just that it's close enough that there will be people trying it.

Re:Hello insurance fraud

[Bing+Tsher+E]

whats next health insurance companies stapling pedometer's onto people get a lower rate?

You don't think those bluetooth 'fitness monitors' that are popping up in the market won't eventually be used to 'provide insurance customers with more preferable rates' if they wear one connected to an Insurance Companies database?

Citizen! We are all in this together. We all pay for each others' healthcare. It in in all of our interests for EVERY citizen to live an optimally healthy lifestyle.

Re:Hello insurance fraud

[beelsebob]

"And the excess damage?"

What excess damage? You (the insurance company) have the data, and here is my car. There's no "excess damage", just "damage".

Do you think (the insurance company) that my accident should render less damage? That's not my problem, I'm neither a materials engineer, nor I designed my car.

Do you think I commited fraud? Why do you think so? Maybe because you know your devices are easily hackable? Maybe I should sue you (the insurance company) for puting me at risk for your lack of due diligence.

Yes the insurer absolutely will think you committed fraud. Then their very first step will be to ask the police for an accident report. The police will then report that the skid marks indicate that the car must have been travelling at at least 50mph, not the 20mph indicated by the dongle.

Believe me, when that is put in front of a judge, your "putting you at risk" charge is going to be thrown out, and their fraud charge is going to hit you square between the eyes.

Re:Hello insurance fraud

>There's no "excess damage", just "damage".

L2physics, noob, or GTFO Slashdot. GPS says you were going 30, damage looks like you were going 50. Kinetic energy goes as the square of velocity so the difference is blindingly obvious. Guess what happens next? The adjuster's going get real, real suspicious at that point and start digging. Game over for you.

Re:Hello insurance fraud

[silfen]

It therefore worries me that companies are this lazy when building such equipment

Among all the areas in daily life where companies can hurt me through weak security, this is way down on the list.

My first concern? Probably that US banks and credit card companies should start using smart chips, two factor authentication, and reliable notification, all of which are easy to do and widely used elsewhere.

Re:Hello insurance fraud

[DarkOx]

The vast vast majority of municipalities and vehicles are not subject to emissions testing. So for most people it won't be an issue, except when if diagnostics are needed.

Most mechanics are already pretty used to applying stickers etc, where states/counties require safety inspections, if customers want the convenience I am sure the major insurers can mail these folks a roll of stickers they can reapply; under threat of not being able to obtain additional stickers and inconveniencing their customers if they don't handle the stickers properly.

Everyone else just gets a weeks grace period or whatever to swing by their local branch office and get their agent to apply a new sticker.

I am not saying its a great solution but probably more workable than you think.

Finally maybe the devices could be designed to offer a pass through so you can connect an additional ODBII devices, the device could just proxy the commands and responses, maybe the state would not allow if for emissions tests, but your mechanic could still get his diagnostic info.

Re:Hello insurance fraud

[Gilgaron]

I'm not joking: they gave us pedometers at work to get a lower rate on our health insurance. It is optional, of course. You can look it up, they're using Virgin Pulse, I imagine there are many others. You get even more discount if you make up meal plans and on and on.

Re:Hello insurance fraud

The most obvious reason for an attack here is to commit insurance fraud
You are not being devious enough.

Track a spouse (most cell modems have gps). No amount of 'inspection' other than dumping all the firmwares off all the devices would find it.

Ransom the car (500 dollars in bit coin to this address or I brick your car).

Fraud (like you talk about).

Spam relay (no mcafee in the auto world).

Pranks on friends (change the radio to the local mexican mariachi channel after 3-5 mins of it being changed)

Positive hacks (retrieve the same information your insurance company gets and find out sooner than later if something is wrong).

Also people are freaking out about this. It is MUCH worse than you can think. All these controllers *never* had a concept of security. They are not designed that way. They are designed to fail safe if possible. That is their #1 goal. #2 is run things correctly. #3 interpolate properly with other systems in the chain. Security is way way way way down on the list.

Re:Hello insurance fraud

[Culture20]

The problem with such a program is that the insurance company has the data from other dongles on the same roads. Presuming there are timestamps on the accelerations, they can model traffic flows. If everyone is stopped at a stoplight in the reconstructed model but your fake data shows you driving through the light at speed limit minus one, their analysis program will know something is wrong with your data. Investigation ensues.

Re:Hello insurance fraud

[msauve]

You think a company who doesn't bother with even simple security is going to do that?

Re:Hello insurance fraud

[ruir]

Can your dog walk your pedometer around home?

Re:Hello insurance fraud

[turbidostato]

"the insurer absolutely will think you committed fraud"

Absolutly yes, of course. Heck! they probably default to think there's a fraud even if lacking any evidence.

A very different thing is for them to *demonstrate* there's a fraud or, at least, being a civil case, that it heavily smells like fraud.

"The police will then report that the skid marks indicate that the car must have been travelling at at least 50mph, not the 20mph indicated by the dongle."

And the insured will claim that his coverage is bound to the dongle as per the contract since his anual bill is also bound to it. So, on one hand, the insured will claim the real-time measures from the dongle are correct and, on the other, that even if they are wrong, his coverage and liabilities are bound to the dongle as per contract.

Re:Hello insurance fraud

[Gilgaron]

I think that would work, but it'd be even better to put it on one of the kids. They'd take more steps and at least they're on the health plan...

Re:Hello insurance fraud

[Cramer]

This assumes a "black box" in every car, they all have sync'd atomic clocks, and they're recording data like an F1 on-board telemetry recorder. (all three are not true, btw.)

Re:Hello insurance fraud

I get kickbacks on my HSA if I report back my health screening results every year, and 'Higi Points' (whatever those are) to link my Fitbit to Higi, some kind of corporate health monitoring station. Higi points can be used to buy fitness crap, water bottles, salad widgets, and a few gadgets and accessories.

Re:Hello insurance fraud

This assumes a "black box" in every car, they all have sync'd atomic clocks, and they're recording data like an F1 on-board telemetry recorder. (all three are not true, btw.)

Or just GPS. It doesn't take much electronics to have a radio-synced clock.

Re:Hello insurance fraud

[strikethree]

A possible reason for hacking into the module would therefore be to falsify the data sent back to the company; a boy racer who regularly breaks speed limits, corners absurdly fast and brakes late if at all would gain substantially from a fraudulent data recording which portrayed him as someone with the driving habits of an octogenarian grandmother

This is one of the things that annoys the hell out of me. Speed, in and of itself, does NOT cause accidents. That boy racer type may be avoiding accidents (except when he is racing, where the goal is to win, not drive safely) and the octogenarian may in fact be causing numerous accidents by changing lanes at slow speed in front of faster moving traffic.

A dongle will NOT tell you what is going on around the car. Generally speaking, you should be going slightly faster or slightly slow than traffic around you. This keeps traffic flowing smoothly. Move out of the way if someone appears to be going faster than you. Do not tailgate if someone is going slower than you... of course, expecting cooperation will surely lead to disappointment so all you can do is try to follow the two rules above as best you can and take a zen approach when others choose not to cooperate.

Regardless, there is no single set of traits that can be measured through ODB II that will indicate whether or not a person is a good driver or a bad driver.

Who would ride with these dongles anyway?

Seems like a massive invasion of privacy and a potential big gotcha to raise rates or deny payouts in certain instances.

Technically, I speed 90% of the time. But it's appropriate speed for the road and my driving 22 years no without an accident attests to that. Should be good enough for the insurance company.

Even if you could put these dongles in a makeshift faraday cage, afraid the insurance will refuse to pay out one day if it's not plugged in and reading data.

As it is now, I think they are more to collect marketing data to sell to other companies. They have your private info, and now where you exactly go to? Sounds like a marketers wet dream.

Re:Who would ride with these dongles anyway?

Justify all you want. it still makes you a duschebag.

Speeders are selfish assholes.

Re:Who would ride with these dongles anyway?

slowpokes are selfish fucktards who are stealing time from everyone else on the highway.

Re:Who would ride with these dongles anyway?

Speeders are selfish assholes.

That depends entirely on the flow of traffic. If the posted speed limit is 65 and most cars are moving at 65, you're right, speeding is an asshole move. If the limit is 65 and traffic is going 80, the douchebag driving 64 in the left lane because "by God the limit is 65" is the one most likely to cause an accident.

Re:Who would ride with these dongles anyway?

[mrchaotica]

In some areas, literally 100% of drivers are speeding. Does that mean they're all selfish assholes, or does it mean the speed limit is too low?

Re:Who would ride with these dongles anyway?

[Bing+Tsher+E]

In my experience, both. But I live in a pretty dirtbag part of the country. People are REALLY into their cars here.

Re:Who would ride with these dongles anyway?

[petermgreen]

Who would ride with these dongles anyway?

Desperate teenagers who are priced out from getting insurance any other way!

Time for the Ransomware

[RichMan]

If you want to drive your car again, send $500 to .... until then the ignition is locked.

Re:Time for the Ransomware

[rmdingler]

Is there any room to name one's own counteroffer with the price gun?

Re:Time for the Ransomware

[wierd_w]

except that the firmware in the ignition control system of the vehicle is written on actual PROM chips, not EEPROM chips, because they have to operate in a hazardous environment. (Temperature extremes, moisture intrusion, dirt, corrosion, etc.) Voltage spikes from slowly decaying wiring, or other sources of irregularity can damage an EEPROM's contents, where a PROM will just burp a little, then be fine after the irregularity. (assuming it isnt a very large spike that can kill silicon anyway)

This means that the ODB2 interface (the little connector under the dash) can at best, only be used to circumvent proper engine function when another device is attached to the bus that has such programmability.

There most certainly ARE such devices on the market, such as the lojack type devices used to prevent vehicle theft on vehicles that arent paid off, etc-- used by used car lots and the like, but these are purposefully installed in a fashion that makes physical removal of the device difficult without the correct tools/equipment. The vehicle runs just fine without such devices attached.

In the case of one of these really shitty dongles, physical removal of the dongle should suffice. The vehicle would then operate with no outside manipulation of its ignition control system. They try ransoming the vehicle, just pull the dongle.

The bigger concern is possible malicious actions, such as "Murder by remote" type situations. The vehicle has such an exploitable device (with its lack of challenges against the network it is communicating with), and a murderer chooses to exploit this to make the ignition control system refuse to fire any of the spark plugs, or to drive any of the fuel injectors. The vehicle stalls while driving 70mph (or faster) on a crowded highway during a lane-change, or while passing. Perhaps the antilock brakes (automatic skid control systems have control over braking) are exploited, and the brakes on one side of the vehicle slam down while doing said 70mph, and the vehicle spins out of control or flips over.

Considering that there is absolutely NO protection here, (No challenge/response, no encryption, no verification of remote network authenticity, etc.) there is definitely room in the criminal underworld for such a remote exploit. Professional hitmen, (and government agencies) would love such a toy.

I mention this possible application, because the obvious one of insurance fraud has already been brought up a few times.

Still, the solution is the same. Physical removal of the dongle solves all the problems.

Re:Time for the Ransomware

[Minupla]

Just as a point of interest, there was a talk at Defcon last year where someone built a IPS (intrusion prevention system) for the bus of the car. It turns out that the communication matrix for a car is a very static system. The parts of a car that communicate with each other do so often (e.g. Engine controller and injection system), and predictably. Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do. So it's possible to build a device that models the system by listening on the bus and if it suddenly sees new traffic patterns shorts out the bus, leaving you with a less smart, but still on 4 wheels and not careening into oncoming traffic, car.

Seems like something the OEMs should be looking into.

Min

Re:Time for the Ransomware

[wierd_w]

No need to do such extreme damage, when the same effect can be achieved with a simple fuse on the positive voltage line of the port. Suspicious activity? Burn the fuse-- BAM-- port is dead, but easily fixed.

However, this would require a "smart" component inside the dash, between the actual ignition control system/ACS system, and the ODBII port interface. Such a device would need to have a reference pattern to check current communications against, and would need some level of processing capacity to compare realtime engine diagnostic data and bus activity against the reference. (Does not need to be fancy here, but this does imply the ability to program a new reference pattern later, especially if the system is fully adaptive to changing engine conditions over time.)

This then places some significant implementation considerations on the vehicle manufacturer-- this device has to somehow be able to be field-reset at a dealership if it gets confused after having the engine serviced, and also needs to have nothing but read-only access to the engine's control system. The only thing it should have "write" access to should be the fuse. (And maybe an indicator lamp)

However, given the less than spectacular implementations of integrated devices in modern vehicles (in terms of security, and security oriented design/implementation) I question if such a device would be properly implemented.

I get the sneaky suspicion that the automaker would be ... "tempted" ... by dealerships and other retailers in the market to integrate lojack functionalty into the security device, thus making it itself into the target of exploits. (Otherwise, the purposeful activation of the intrusion failsafe would render actual lojacks incapable of stopping cars, by disabling the communication bus. This means removing the fuse would essentially disable such countermeasures.) This would then make "remove the dongle" no longer an option.

When presented with a choice between "properly implemented security" and "Pressure from their customers" (Auto manufacturers RARELY, if ever, sell directly to the public. THEIR customers are the dealerships.) , I expect automakers will choose to placate their customers every single time.

Re:Time for the Ransomware

[Lumpy]

I can rewrite the OS in my ECM and BCM at any time they are EEPROMS and FLASH not PROMS.

Maybe back in 1988 they were PROMS, today's cars are field programmable, Hell BMW's have been field programmable since the 90's.

  I've been hacking on cars for hotrodding for 20 years and ALL OF THEM have been easily modified for decades. Up to 1998 you had solidified chips but the Advent of ODB-II had field programmability very VERY common.

Re:Time for the Ransomware

[Minupla]

No need to do such extreme damage, when the same effect can be achieved with a simple fuse on the positive voltage line of the port. Suspicious activity? Burn the fuse-- BAM-- port is dead, but easily fixed.

Doesn't protect against other attack avenues that have either been hypothoized or demo'd though. The entertainment unit always seems popular. Trojaned CD in the player, for example or exploit against the bluetooth system. Hey I wonder what happens to that cute bit of software that displays what song the FM station is playing if the station sends YourPawnedxxxxxxxxxx....?

I'm not sure most of the security sector put it together that someone might voluntarily install their own remotely exploitable device into the bus in sufficient numbers to be interesting. Guess we should know better then to underestimate the power of a discount!

(I do agree with the rest of your post btw.)

Min

Re:Time for the Ransomware

[wierd_w]

That's unfortunate... I can see why it would be desirable by the manufacturer and dealer, (as it would enable quite a few shady practices by both), but I question how stable EEPROM is compared to PROM in the hazardous environment under the hood or dash. (I know some modern systems are installed under the center console between the front seats, and some are installed under the passenger or driver seat, but this is still a problematical location in terms of operating environment. Still has large fluctuations in ambient temperature and issues with moisture and corrosion.)

I have seen ODBII dongles made specifically for hotrodding that contain new fuel mix tables and timing data for the ignition control system, but havent really seen kits to completely re-flash the ICS's computer.

Guess you learn something new every day.

Re:Time for the Ransomware

Yo dawg, I plugged my insurance car dongle into my nuclear centrifuges. Can you help? - Love, Iran.

Re:Time for the Ransomware

[mjwx]

Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do.

Most systems will have some kind of physical security, the entertainment system wont be able to communicate with the AWD system. Engineers are pretty bright and know that if you could issue a command from the bluetooth on the stereo to send 80% of the power to the back right wheel at highway speeds it would be a very bad thing.

However the ransomware doesn't need to be deadly, it just needs to be annoying. So the weaker systems like the infotainment unit are prime targets... I.E. pay us $500 or we'll leave Shake It Off on repeat.

Re:Time for the Ransomware

Actually, there is usually an electrical connection because, for example, the entertainment system adjusts its volume to compensate for the engine volume. While there's usually some security between the two, it isn't likely to be very well done, and, in fact, has been shown to be weak in some cases.

Re:Time for the Ransomware

Uhm, certainly you can do a firmware update of the ECU on modern cars. At least with Audi it cannot be done with the engine running (at least not with the official software, but I would expect the ignition controller rebooting would cause the engine to stop running anyway).

Re:Time for the Ransomware

[tibit]

how stable EEPROM is compared to PROM

Electrically-programmable fused PROMs suffer from bit rot and simply are not made anymore. I hate the damn things with a passion, they are one of the causes of good legacy test equipment turning getting bricked. The legacy OTP EPROMs require high voltage for programming and the only concern with them is slow charge decay. These days, it's FLASH all the way.

Alas, you're making up imaginary problems. Every high-rel firmware-based system will not only verify the integrity of the firmware upon boot-up, but continuously during operation. I mean, heck, we're not even talking about the cars here - my washer and dryer are both running continuous firmware CRCs in the background, all the time, as well as RAM integrity and plausibility checks.

Never mind that the inside of an ECU module is quite isolated from exterior noise. Every circuit going through the box has extensive filtering and surge protection. The logic supply voltages will be within spec all the while the battery voltage swings every which way (think of a range from single volts to a hundred or two).

Re:Time for the Ransomware

[Lumpy]

It's not as filtered as you think. A single shorted sensor can and does cause other problems in car ECM's. BMW E30 ECM if the oil level sensor shorts out will cause other sensors to read as failures as well as power brown outs tot he processor causing major issues.

Car electronics are only built a step up from consumer electronics nowdays. It's quite a joke as to how crappy the engineering in all the electronics in a car are.

Re:Time for the Ransomware

[Lumpy]

Older cars the Spark and fuel tables WERE a part of the firmware, in fact every time I flashed a new EEPROM for the 7730 ECM I rewrote the whole thing. I even went as far as used a larger EEPROM and tied the highest Address line to a switch so I could write multiple copies with different tables in the single EEPROM and flip a switch on the fly to go from street driving for smooth and decent gas mileage, to racing with aggressive spark tables and dumping in fuel like a banshee. the CPU in the 7730 did not even know I switched anything if done at idle. I even added features like intercooler spray activation that the ECM never supported.

Todays cars, the software is written horribly so they need to do updates. BMW updated the entire firmware package to my Transmission twice.

Re:Time for the Ransomware

[tibit]

I think that the part of the issue is that there's really not all that much standardization that has force of law when it comes to ECUs. It's sad to see that they use an ECM that has such silly issues.

Re:Time for the Ransomware

[Minupla]

Sadly the relevant research shows that while you would like this to be the case, it isn't.

If you'd like to know more, look at the defcon conference videos for the last few years.

Just as a for example, I'll direct you to this article:

http://www.nytimes.com/2011/03...

There was also a talk this last year that went into the architectural design of the car's network, and showed that in most cases there was no device between the head end unit and the sensitive items in a car, and where there was it wasn't a security device, merely a signal management unit, and the presenter expected to be able to jump it. But again, typically if you get access to the bus, you can talk to anything you want. There was also a lovely bonus bit where they showed you could update the to an arbitrary unsigned firmware due to some sloppiness in the process. (if you cut the power at the right time, the recovery process didn't do the appropriate checks. Once they got in and could analyze the python scripts being used, they discovered if you wrote a specific character (I think D but my memory could be playing tricks on me) to the right sector of the CD, it would bypass the signature checks and just update the firmware.

Engineers are generally smart, but they also tend to design to the specifications. If you don't TELL them to consider an attacker in their designs, they don't.

Min

To be gagged

“However, if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited. While it’s unfortunate that Mr. Thuen didn’t share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.”

"confidential and detailed input" ... Emphasis mine.

How long until he is hit with a gag order, "to protect the public", and "to prevent terrorists from exploiting it". That is why I have always supported the full disclosure (bugtrac) movement, as it is too easy for a company to practice Security by Obscurity by gagging the security researcher discovering a vulnerability.

Nerds gonna have perfect driving habits

[vpness]

In other news, nerds flock to progressive insurance and claim safe driving styles resulting in the lowest possible insurance rates. Progressive in press release say 'we hypothesize it's because nerds don't party or stay out late'

Re:Nerds gonna have perfect driving habits

[PopeRatzo]

Progressive in press release say 'we hypothesize it's because nerds don't party or stay out late'

Nonsense, I've been to board game parties where 6 of us went through almost a whole quart of 3.2 beer. We rocked the house until almost 10:30pm. I mean, it was a work night after all and I had to get home to watch the DOTA2 quarterfinals on Twitch.tv.

Re:The Myth of Tamiflu: 5 Things You Should Know

[Black+Parrot]

But will a wearing a dongle help?

This is just stupid!

So what? You can hack the connection without any dongle. What's the point? That the dongle itself can be fudged? So what? Go ahead and try it and see how long before your brought up on fraud charges for a few extra $$ for a few months or even a year.

Do you kids have any morality?

Re:This is just stupid!

RTFA. This is about the dongles being able to be hacked remotely over the air.

onStar?

[Black+Parrot]

What do we know about the security of systems such as onStar?

Re:onStar?

I have two friends who were saved by OnStar. In both cases, they were in the middle of nowhere and a would have probably died after a hit and run. You can talk all you want about perceived privacy issues, but when the system saves lives, your insignificant complaints are going to be ignored. I pay for an OnStar subscription for my wife and three kids that drive. Privacy is important, but sometimes the trade-off is worthhile.

Re:onStar?

[DigitAl56K]

That's a very valid point, but let's not pretend that you couldn't have the benefits of OnStar without most of the nasty privacy issues. A limit on data retention, clear indication when the device is listening in, and not selling subscriber data to the government would resolve a lot of the criticism.

Re: onStar?

This. OnStar like things could be designed with privacy in mind. The current ones are not. That says something.

Being "saved" by one is irrelevant.

Re:onStar?

[Solandri]

and not selling subscriber data to the government

I've wondered, what's to stop them from collect that data even if you're not a subscriber?

Re: The Myth of Tamiflu: 5 Things You Should Know

Did Tamiflu rape your family? What gives?

Re: The Myth of Tamiflu: 5 Things You Should Know

[sjames]

It can cause psychiatric symptoms in some...

Privacy vs Security

[MrKaos]

Whilst it's a little twist on Franklin's words it is appropriate. People who give up their vehicle data privacy for lower cost insurance premiums in time will for premiums up for people who choose not to use one of these dongles.

I'm glad the insurance companies are so lax with those peoples security as to make them a target for crackers. It shows they are subject to the same type of contempt the insurance companies demonstrated in the first place. People too insular to be concerned deserve to be subject to every exploit there is.

Direct connect

[jklovanc]

From the article.

By hooking up his laptop directly to the device he says he would have been able to unlock doors, start the car and gather engine information, but he chose not to “weaponise” his exploits

SO only direct connect has been proven.

The researcher noted that for a remote attack to take place, the concomitant u-blox modem, which handles the connection between Progressive’s servers and the dongle, would have to be compromised too. Such systems have been exploited in the past, as noted in a paper here from Ralf-Philipp Weinmann, from the University of Luxembourg.

Remote access has only been shown by similar systems.

Call me when you can actually show a remote exploit through the dongle.

Re:Direct connect

[tibit]

The problem is that you have a system that's not inherently safe - it merely rides on the unproven safety of one single component. A resilient system would have many barriers that you have to break down in order to gain access. This one has just one. For all we know, it has already been broken.

Re:Direct connect

[strikethree]

Call me when you can actually show a remote exploit through the dongle.

By then, it will be too late. Why is it that people so blithely ignore someone who points out that going in the wrong direction is liable to lead to all sorts of nastiness?

Re:Direct connect

[jklovanc]

So bypass the hard parts by soldering into the circuits and then say the device is insecure. We have no idea how many layers they bypassed. This is like entering the bank, shutting off the alarm with the code, opening the vault door with the combination, drilling a few safety deposit boxes and then saying safety deposit boxes in banks are insecure.

If you need physical access to the dongle it is not a true exploit of the dongle.

This kind of privacy invasion should be illegal

This is the kind of tracking that would make despotic regimes like East Germany or the United States very happy indeed. It should be illegal for anyone to track individuals as they go about their daily business. Do you want to live in a totalitarian state or not?

Re:This kind of privacy invasion should be illegal

It's not a privacy invasion. Driving is not a right, nor is having insurance. They can impose any conditions they wish upon your having a policy, and the State can impose whatever conditions it wishes upon you driving on the public roads.

If you don't like it, you can always choose not to have a car.

Ron Paul 2016

Of course not.

Any of those features cost money to develop.

Why would anyone develop security features for a thingy that, at least to beancounters and managers, looks like it would be obviously secure because nobody else knows how it works.

Seriously

[nospam007]

I had a client who actually bought holy Mary anti-virus stickers to put on the outside of the computer.

It's a gamble

[swb]

It's a gamble between two opposing forces of insurance:

1) On one hand, insurance companies are bureaucracies and handling claims is a bureaucratic process with a certain amount of inertia, where obvious fraud needs to be caught but time/people/resources don't exist to fine-grain protect against all possible marginal fraud, otherwise the system would grind to a halt. A tracking device with a minor deviation from observed damaged may just get written off as the strangeness of physicals or the brittleness of plastic cars -- I mean, we have the data, right?

2) On the other hand, IMHO, the insurance company is almost in the primary business not of supplying insurance or processing claims, but in DENYING claims. Insurance fraud is a huge risk, the more claims they can deny the more money they make and they have deep and long-term investments in actuarial data and statistics. They may already have enough tracking device data in their databases to *know* that your physical damage doesn't align with the tracking data.

And Allstate/State Farm are making them Mandatory

I received a letter from my State Farm agent indicating that I would be required to install their dongle in my car if I wanted my policy to renew. So, I went down the street to the Allstate agent, who told me that they were requiring their dongle for all new policyholders.

So, fuck them.

Re:And Allstate/State Farm are making them Mandato

[PPH]

Wow. I wonder what I'd do if my State Farm agent pulls this stunt on me. My cars predate OBD II or any other diagnostic ports by a few decades.

I'd be happy to put them in the ashtray or something.

OBD II Condom

[PPH]

There might be a market for a defice that can be placed between any such 'required' dongles and a vehicle's actual systems. Something that can pass certain data in only one direction (read-only vehicle parameters) and block requests (and spoof handshake signals) should dongle attempt to make an unwanted request of the vehicle's systems.

I can also see a market for such a device where emissions tests are done by reading the data port. Just tell the port filter to always reply with an 'all is well' code.

Re:OBD II Condom

I already know that stuff like this exists and is available for purchase.

I know a guy... Who took a Mazda Miata and put a V-8 under the hood. http://monstermiata.com/ One of the problems he had was trying to get this thing to pass the OBD2 emissions test. It wasn't that the motor was out of specifications emission's wise, but that the VIN number reported by the OBD2 didn't match the VIN number of the car or even the manufacturer which is an automatic fail. His solution? He burned his own PROM for the power train module. He needed to do that anyway, because the car's new transmission shift points and such needed to be "adjusted" for the lighter car. So his modification didn't require that you attach any new stuff to the car, you just had to replace the PROMS in the computer. There was no way to tell that the systems had been modified, well, if you didn't look under the hood knowing what a Miata was *supposed* to be.

I will say this about that car. Even if it was the coolest car I've ever been in it scared the .... out of me to ride in it. You could IDLE at about 45mph, so you had to ride the breaks to get it to go slower than that. If you where not extremely gentle with the gas, you'd light up the tires, even highway speeds. It was very hard to drive under ideal conditions, add rain or the other nuts doing stupid things, this car felt dangerous. Fun, but dangerous...

Wrap it in a mylar bag or aluminum foil.

[Virtucon]

If you're worried about it, solve the problem at the communications layer. Wrap the dongle in such a way that it can't transmit or receive data. "What you're not getting the data? Wow that's strange. I have it plugged in." Either that or find another insurance company that doesn't track you. The fact that you've allowed a device to track you in the first place means that you've exposed yourself to risks, some overt such as your lead footed behavior is know a known quantity and inadvertent in terms of a hacker potentially changing your ECM or some other system in your car. What we need are stronger privacy protection laws as well as some insurance reform that says your rates are based on what you drive, how much you drive and your driving record. Every time you have somebody do an oil change, that information is sold and mined (Carfax etc.) so Insurance companies can verify mileage and tickets/accidents are all a matter of public record. Therefore there's no need for this kind of tech.

Re:And Allstate/State Farm are making them Mandato

[Bob+the+Super+Hamste]

I'd tell them they can install it on my vehicle and let them sort out a positive ground pre-emissions little british roadster. Of course the Lucas Electric components may let magic smoke out of their device but it wouldn't be my problem.

Am I missing something?

[ripvlan]

It is nice to know that these security hole exist. Others have pointed out how these might be ... put to use.

I found the article lacking. Here's what I'm missing - nowhere in the article did I gain an understanding of the feasibility of attacking this system. We've elsewhere seen people unlocking cars from the outside (either breaking a window and using the port or wirelessly). Breaking the glass is just that - Break Glass and people would notice.

Having to unplug this device and write new firmware isn't really a hack. Yes - it would be nice if these things had security codes stamped into them for access to the mothership. Still - from outside the car how do I attack this thing? How do I take over this thing and make use of it?

I'm sure there's a way, I'm just not getting a feeling of the priority here. I won't signup for these devices because of the big brother aspect. Shaming the companies for low security is fun. And there are hypothetical attacks on the cell system. But how serious is this? What is my attack surface right now?

Security is subjective

Whether or not a system is "secure" depends on whose security you're talking about. Lets think about the purpose of these black boxes, and whose interests they are intended to serve.

One thing I noticed when I saw a snail mail ad from my insurance company for one of these, is that it looked like the box would actually be coming from a third party who would be supplying the insurance company with information about my driving. (Interestingly, I saw no indicator that my insurance company would be the only party they would be supplying information to.)

If the machine causes a problem, that might be "insecure" from the PoV of the driver or the insurance company, but would it have a cost to whoever created the device? If not, then the vulnerabilities aren't "insecure."

Re:And Allstate/State Farm are making them Mandato

I'm sure they would just tell you F off with our old ass car and cancel your insurance at the next renewal.

Re:And Allstate/State Farm are making them Mandato

I'm guessing you have something in your recent driving history that caused them to do this, i.e. an accident, DWI, or habitual moving violations.

My State Farm policy doesn't require it.