Slashdot Mirror

← Back to Stories (view on slashdot.org)

Insurance Company Dongles Don't Offer Much Assurance Against Hacking

Posted by timothy on from the best-hanging-from-rearview-mirror dept.

According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle: It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. ... He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies basically it uses no security technologies whatsoever.”

7 of 199 comments (clear)

  1. Re:Spoofing! by Anonymous Coward · · Score: 4, Insightful

    I've long thought there could be a really lucrative market for OBD2 spoofers.

    Okay, so there's a market for insurance fraud hardware devices? Are you planning to sell these on this week's reboot of the Silk Road?

    BTW, there's better money to be made if you're willing to commit fraud or other felonies. I say skip the penny ante bullshit and go for credit card fraud. Most of those people get away with it because the issuing banks don't give a fuck due to sticking the merchants with the costs.

    HTH.

    Protip: not everything having to do with computers or electronic hardware needs a new "...on a computer" law in order to render it illegal. You may have confused this with the issuance of patents, where the addition of a computer algorithm is always considered a groundshaking breakthrough and worthy of allowing someone to rent seek over real innovators. No worries, this is a common misunderstanding. Have a nice day!

  2. Time for the Ransomware by RichMan · · Score: 3, Insightful

    If you want to drive your car again, send $500 to .... until then the ignition is locked.

    1. Re:Time for the Ransomware by Minupla · · Score: 4, Insightful

      Just as a point of interest, there was a talk at Defcon last year where someone built a IPS (intrusion prevention system) for the bus of the car. It turns out that the communication matrix for a car is a very static system. The parts of a car that communicate with each other do so often (e.g. Engine controller and injection system), and predictably. Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do. So it's possible to build a device that models the system by listening on the bus and if it suddenly sees new traffic patterns shorts out the bus, leaving you with a less smart, but still on 4 wheels and not careening into oncoming traffic, car.

      Seems like something the OEMs should be looking into.

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  3. Re:Is it really a surprise? by rudy_wayne · · Score: 2, Insightful

    That most people don't give a damn about security "because it is hard"?

    Actually, security is not hard. But, security done properly requires you to commit substantial resources -- people, time, money. And that cuts into profits, so most most companies are not interested.

  4. Re:Spoofing! by danlip · · Score: 4, Insightful

    You think it's possible to implement a "new economic structure" that doesn't favor those with wealth and power more that the current one? The only people interested in a level playing field are those not at the top.

  5. Re:onStar? by DigitAl56K · · Score: 5, Insightful

    That's a very valid point, but let's not pretend that you couldn't have the benefits of OnStar without most of the nasty privacy issues. A limit on data retention, clear indication when the device is listening in, and not selling subscriber data to the government would resolve a lot of the criticism.

  6. Re:Spoofing! by KingMotley · · Score: 3, Insightful

    Perhaps it was perceived, but they determined that the market of people willing to face fines and possible imprisonment so that they can save $10 in their insurance wasn't big enough to warrant the expense of building all that extra security in.