Slashdot Mirror

← Back to Stories (view on slashdot.org)

Insurance Company Dongles Don't Offer Much Assurance Against Hacking

Posted by timothy on from the best-hanging-from-rearview-mirror dept.

According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle: It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. ... He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies basically it uses no security technologies whatsoever.”

125 of 199 comments (clear)

  1. Spoofing! by Anonymous Coward · · Score: 5, Interesting

    I've long thought there could be a really lucrative market for OBD2 spoofers. Instead of plugging the dongle directly into your car, plug it into a middle-man that feeds it the "happiest" possible data to make it think your driving is perfect. There is no authentication in the OBD2 protocol so there is no way for the dongle to tell the difference between a real OBD2 data feed and a spoofed one.

    1. Re:Spoofing! by Anonymous Coward · · Score: 4, Insightful

      I've long thought there could be a really lucrative market for OBD2 spoofers.

      Okay, so there's a market for insurance fraud hardware devices? Are you planning to sell these on this week's reboot of the Silk Road?

      BTW, there's better money to be made if you're willing to commit fraud or other felonies. I say skip the penny ante bullshit and go for credit card fraud. Most of those people get away with it because the issuing banks don't give a fuck due to sticking the merchants with the costs.

      HTH.

      Protip: not everything having to do with computers or electronic hardware needs a new "...on a computer" law in order to render it illegal. You may have confused this with the issuance of patents, where the addition of a computer algorithm is always considered a groundshaking breakthrough and worthy of allowing someone to rent seek over real innovators. No worries, this is a common misunderstanding. Have a nice day!

    2. Re:Spoofing! by msauve · · Score: 1

      I'd think there'd also be money to be made with something similar which produced good readiness values whenever polled by the inspection station (in locations which require that).

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    3. Re:Spoofing! by mjwx · · Score: 2

      I'd think there'd also be money to be made with something similar which produced good readiness values whenever polled by the inspection station (in locations which require that).

      This is the reason MOT tests still require the mechanic to look at the car instead of trusting the computer readouts.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    4. Re:Spoofing! by wiredlogic · · Score: 2

      Some are GPS enabled now which allows cross-correlation with the speedometer and internal accelerometer readings to detect fraud. Granted, you could cage the dongle and let them think it couldn't get a GPS fix from its position under the dash. A spoofer would also need it's own accelerometer to generate believable data under acceleration and braking.

      --
      I am becoming gerund, destroyer of verbs.
    5. Re:Spoofing! by kilodelta · · Score: 1

      I've had the exact same thought. Only the way I thought of it - find the safest driver you know and just plug the device into their car. A low tech solution for a high tech problem.

    6. Re:Spoofing! by kilodelta · · Score: 1, Flamebait

      The whole thing about fraud against a corporate entity makes me a little bit angry. Who the fuck do those corporations think they are anyhow?

    7. Re:Spoofing! by turbidostato · · Score: 2

      "So, how can you tell by simply looking whether the catalytic converter is working properly?"

      A "mechanic to look" is not just "simply looking". By measuring gases at the exhaust pipe you can know about the catalytic converter's health.

    8. Re:Spoofing! by AK+Marc · · Score: 2

      I've seen cars tuned to pass emissions with the cat removed. They ran like shit, but you could make them run long enough to "fool" the required tests. It's also not illegal to fool the tests. You can tune a car for the test, test it, then modify it (or swap out "illegal" parts for "legal" ones, test, then put them back). I had that "officially" recommended to me when my mod passed emissions, but didn't pass the visual test. The visual test is performed by Alaska to verify any modifications are approved by California, and is unrelated to the performance of the parts. If you can pass the emissions test, you'll fail if your part makers didn't pay the CARB tax.

      --
      Learn to love Alaska
    9. Re:Spoofing! by ISoldat53 · · Score: 2

      I would love to put one of these on a NASCAR car and watch Flo have a stroke.

    10. Re:Spoofing! by mjwx · · Score: 1

      So, how can you tell by simply looking whether the catalytic converter is working properly?

      I expected you to be able to figure out that "look" meant running actual manual diagnostics rather than simply trusting the computer.

      My only mistake here was underestimating how stupid you were.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    11. Re:Spoofing! by epyT-R · · Score: 1

      savings which will evaporate when the spying is mandated by insurance companies and the law. Insurance is the new slavery.

    12. Re:Spoofing! by cheater512 · · Score: 1

      The GPS module is (usually) just sending NMEA serial data. Splice the line and you don't need a faraday cage and complicated spoofer.

    13. Re:Spoofing! by jrumney · · Score: 1

      By measuring the actual emissions using regularly calibrated test equipment (not blindly trusting what the car's uncalibrated sensors are telling you). The visual inspection is to ensure that the emissions are not also coming out from other places they shouldn't be.

    14. Re:Spoofing! by Anonymous Coward · · Score: 1

      > Okay, so there's a market for insurance fraud hardware devices?

      You are right. In the real world everybody is a goody-two-shoes and nobody ever tries to manipulate the system. That's why nobody bothers with passwords, no one wastes time locking their front door and GPS spoofers don't exist. How stupid of me to identify an obvious flaw in the system!!

    15. Re:Spoofing! by Lumpy · · Score: 2

      It is trivial. I can build one with an arduino in 10 minutes. Build one that sits in between so that all the good data is there but it limits the data to acceptable levels so it all looks legit.

      --
      Do not look at laser with remaining good eye.
    16. Re:Spoofing! by Lumpy · · Score: 1

      you can buy a bottle that you add to your gas tank that will pass a tailpipe test.

      --
      Do not look at laser with remaining good eye.
    17. Re:Spoofing! by Anonymous Coward · · Score: 1

      I'd rather just stroke Flo.

      To each their own. No doubt others would go to see Flo put on a Tijuana-type show with Maxwell the Geico pig.

    18. Re:Spoofing! by msauve · · Score: 1

      No you can't, not completely. Why do you think OBD monitoring is required, if everything can be checked through simple inspection?

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    19. Re:Spoofing! by the_B0fh · · Score: 1

      How stereotypically Slashdot of you to presume that you discovered a trivially exploited "obvious flaw" in a system that somehow the engineers who designed the system weren't able to perceive or address.

      Did I miss something, or isn't the article itself saying that the idiots who designed the system did not perceive nor address the issue?

    20. Re:Spoofing! by drkstr1 · · Score: 1

      TTWTF is that this is the 20th century thinking that makes such an act illegal (or even considered to be immoral). Insurance companies should be free to price their policies in any manor of their choosing, and we the people should be free to share and spread information to subvert their dirty tricks. Capitalism (as it is practiced) is not suited for the 21st century. It's time for a new economic structure, condusive to an open and free market place of ideas. 20th century thinking needs to die.

      --
      Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
    21. Re:Spoofing! by AK+Marc · · Score: 3, Informative

      yeah, it's called "gasoline".

      And they don't work. If you are running rich, you need an oxygenation. If you are running lean, you need an octane booster. They are nearly opposite, so you don't get both in one. So you need to know the problem before you toss in an additive.

      --
      Learn to love Alaska
    22. Re:Spoofing! by danlip · · Score: 4, Insightful

      You think it's possible to implement a "new economic structure" that doesn't favor those with wealth and power more that the current one? The only people interested in a level playing field are those not at the top.

    23. Re:Spoofing! by Attila+Dimedici · · Score: 1

      Define this new economic structure and we can discuss its possible merits as well as its possible flaws. So far, every one of the "new economic structures" I have seen proposed are actually recycled versions of old economic structures which failed. Your ideas may be different, but until you tell us what they are, we cannot know.

      My experience is that most of the problems with our current system are a result of things implemented in the name of "a new economic structure". Things which just made the problems they claimed to be designed to fix worse.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    24. Re:Spoofing! by mjwx · · Score: 2

      No you can't, not completely.

      Actually you can. Simple off the shelf units like this one measures all the gasses MOT test for. You dont exactly need a mass spectrometer to get an accurate CO2 reading.

      Why do you think OBD monitoring is required,

      Its not. Why do you think it's required or better yet, why do you think it's accurate?

      if everything can be checked through simple inspection?

      The MOT test is not a simple inspection. Its not the 14 point inspection the tyre shop uses to entice gullible people in so they can up sell you on crap you dont need. It test all the essential components of the vehicle from the lighting to the steering to rust on the body.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    25. Re:Spoofing! by MrKaos · · Score: 1

      The whole thing about fraud against a corporate entity makes me a little bit angry. Who the fuck do those corporations think they are anyhow?

      They're the entity you need to send the money you worked for to, because it's theirs. Now shut up and send more money.

      --
      My ism, it's full of beliefs.
    26. Re:Spoofing! by toddestan · · Score: 1

      How? I don't know of a way to get the VIN through the ODB2 port, though such a capability wouldn't surprise me terribly with the newest cars. They could try to infer whether the data is consistent with the model of car that's being insured through some of the metrics such as fuel usage. Though the biggest problem would be the GPS showing the car being parked at a place you don't live at, and being driven to a workplace you don't work at.

    27. Re:Spoofing! by pete6677 · · Score: 1

      With insurance panda?

    28. Re:Spoofing! by sjames · · Score: 1

      OTOH, in the VCR days there was a thriving market in video stabilizers "for the clearest possible picture".

      Naturally, the OBDII simulator would be for people who want to develop their own interface devices.

    29. Re:Spoofing! by sjames · · Score: 1

      Actually, they do exactly that for cars built before OBDII. The car goes on a dynamometer and a probe goes in the tailpipe. The tester then runs the car through a standardized set of speeds and durations while the exhaust is measured.

      Reading out the OBD is much faster and legislators probably can't even imagine spoofing the data.

    30. Re:Spoofing! by KingMotley · · Score: 3, Insightful

      Perhaps it was perceived, but they determined that the market of people willing to face fines and possible imprisonment so that they can save $10 in their insurance wasn't big enough to warrant the expense of building all that extra security in.

    31. Re:Spoofing! by sjames · · Score: 2

      You better watch that talk about spoofing people's dongles. We don't want another scandal.

    32. Re:Spoofing! by Bing+Tsher+E · · Score: 1

      My favored 'New Economic Structure' is 'Every Man For Himself' in a non-aggressive fashion. So if Person X figures out a way to fuck over the Insurance Companies in a way that doesn't hurt other people in any but a theoretical way (i.e. the old 'If Everybody Did That' bullshit) then all power to them.

    33. Re:Spoofing! by drkstr1 · · Score: 1

      Simple. Keep capitalism. Make it so ideas and information can't be owned (copyright is OK, but affords no additional protection except for maybe the right to citation to prevent plagerisim aka fraud). In fact, let's just get rid of all the laws except for maybe a few hundred or so. The laws that we keep should be more like commandments (EG though shall not defraud another when entering into a contract). People should not be regulated. Incorporated persons should be regulated only when and if they interfere with the free market (eg. monopoly abuse, fraud, deception, etc). Let the people weed out bad behavior/ideas naturally.

      --
      Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
    34. Re:Spoofing! by drkstr1 · · Score: 1

      Possible, yes. Easy, absolutely not. When has initiating change on a broad scale ever been easy? It is a chore not for the feint of heart, but one that is necessary from time to time.

      --
      Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
    35. Re:Spoofing! by drkstr1 · · Score: 1

      PS. The merits would be a more level playing field and upward mobility, and quality of life, at the possible expense of economic efficeincy. But I would argue we are in an age where economic efficiency is no longer needed to improve our quality of life, and may even be detrimental to our long term survival as a species.

      --
      Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
    36. Re:Spoofing! by sjames · · Score: 1

      And there will probably be someone who wants to develop an OBDII interface who will find a simulator helpful.

      After all, it's dangerous to debug while driving.

    37. Re:Spoofing! by camg188 · · Score: 1

      I can see spoofing the insurance company but what malicious hacks could these dongles do to your car?

    38. Re:Spoofing! by TheRaven64 · · Score: 4, Interesting
      Just to clarify, your question is:

      A device can run arbitrary malicious code and is connected to a physical link to your car, to a system that has physical links to your engine management system, and was not written with security in mind, what's the worst that can happen?

      --
      I am TheRaven on Soylent News
    39. Re:Spoofing! by TheRaven64 · · Score: 1

      Macrovision worked by setting the brightness to maximum during the flyback period when the beam is turned off. What kind of device were your friends using where this interfered with the signal? It was a problem for (some) VHS recorders, because they averaged the brightness over the entire frame and didn't ignore the flyback interval, so you ended up with a very dark copy.

      --
      I am TheRaven on Soylent News
    40. Re:Spoofing! by gl4ss · · Score: 1

      it's not the device that makes the fraud.

      it's the individual that would put it between the insurance companys dongle and the car that would be making the fraud, but the device itself wouldn't be illegal as such.. it's not doing copyright circumvention or any such thing, so no need to go on silk road to sell it.

      certainly it would be 1000 times more legal than ssl interceptors and such which seem pretty popular for corporate/airline networks...

      this thing is just that someone realized there was a market for hastily and lazily done surveillance device and found a market in the insurance companies for it. I mean, if they really cared it wouldn't be using the obd in the first place - it would have it's own accelerator and location sensors - which would have made developing the dongle possibly 10 times more expensive than a stupid microchip .

      *note: there's already ready made devices that would fit the bill far better than what the insurance companies are using so it's pretty bizarre! of course, the separate thing might be taken out of the car but what's stopping you from putting this in an another car?

      --
      world was created 5 seconds before this post as it is.
    41. Re:Spoofing! by Anonymous Coward · · Score: 1

      To be fair, your engine management system should have been designed with security in mind. Therefore it shouldn't matter what dongles are plugged in.

    42. Re:Spoofing! by TheRaven64 · · Score: 1

      To be fair, your engine management system should have been designed with security in mind.

      Should be? Sure. Is? Absolutely not, in any shipping design.

      --
      I am TheRaven on Soylent News
    43. Re:Spoofing! by msauve · · Score: 1

      OBD monitoring may not be require in OZ, but it is federally mandated in the US. It monitors things which would pass a simple tailpipe test. You're obviously unfamiliar with what it does, and unqualified to comment.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    44. Re:Spoofing! by Attila+Dimedici · · Score: 1

      So, basically you are saying that we should go back to the system the Framers of the Constitution envisioned. That is not a "new economic structure". Rather it is a return to one which was dismantled.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    45. Re:Spoofing! by AmiMoJo · · Score: 1

      Those boxes are a scam anyway. They don't understand the type of vehicle they are connected to, and they don't understand the road surface being driven on. A lot of young people are getting them fitted to reduce their premiums, and then finding that because they live in a hilly area and have to push the accelerator to the floor just to maintain 30 MPH in their little 1.0 litre super efficient cars the dongle decides they are accelerating too hard. Poorly maintained roads make the accelerometer go nuts, and the box things you are cornering too hard because you are weaving around the pot-holes.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    46. Re:Spoofing! by AmiMoJo · · Score: 1

      Most people don't want to become insurance experts or hope that their circle of friends is clued up enough to protect them. They would rather that their government, the people who work for them, regulate the insurers to ensure fairness. It's cheaper and easier for everyone.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    47. Re:Spoofing! by AmiMoJo · · Score: 2

      The merits would be a more level playing field and upward mobility, and quality of life

      I really doubt that. What will happen is the scammers will get rich, much as they do now but on a much larger scale. It's already possible to sell a complete POS simply by advertising the hell out of it, and removing regulations on advertising would just make the situation worse.

      Quality of life will plummet as people get screwed by dodgy healthcare contracts or people polluting their environment. They could sue of course, but who has the money for that? Prices will probably sky-rocket as well, since the moment you get rid of all the regulations and restrictions other countries will raise their tariffs to compensate. Free trade is only possible when the two sides have broadly similar costs. If US workers are cheap because they have no rights or protections, the EU will slap duty on US cars being exported to it so they don't undercut European manufacturers.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    48. Re:Spoofing! by AmiMoJo · · Score: 4, Informative

      Not all manufacturers build their cars that. Some have an OBD-II bridge between the port and the main bus that makes the port read only except for a few very specific commands like resetting error codes. That's why if you look at those videos of people hacking a Prius on YouTube they have dismantled the entire dashboard. They had to get to the segmented parts of the bus, the diagnostic port was not enough to screw with anything interesting.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    49. Re:Spoofing! by drkstr1 · · Score: 1

      No, that is what we get in now in the current hegemony. The i would even say the system we have now in practice was designed so the liars thieves and fraudsters can gain an unfair advantage. This is why income is unnaturally distributed to the top, rather than a nice clean bell curve, as it should be, according to natural law. What I am proposing simply boils down to a change in our priorities. One that puts the persuit of knowledge, truth, and honesty above all else. All of that behavior you describe could easily be weeded out in such a system, as no one would have any exceptional advantage over anoter. The common man is more capable than you give them credit for. Let's create a system designed for them.

      --
      Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
    50. Re:Spoofing! by drkstr1 · · Score: 1

      I would have much rather your +4 insightful mod gone to the people who actually had an interesting/insightful argument against my own. Meh, just goes to show you why you should always browse at 0. That's where all the good stuff is at ;)

      --
      Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
    51. Re:Spoofing! by Pascoea · · Score: 2

      savings

      That's a funny joke. I tried the snapshot. What a fucking joke. Three cars: Me, 20 mile daily rush hour commute. Wife, 15 mile "off peak" daily commute. Daughter, car literally sat in the driveway for the three months, with the exception of 2 trips from Minneapolis to Fargo and an occasional trip to the gas station around the corner. Me: 0% (ok, I expected that.) Wife: 3%, daughter 3%. Seriously? What do you have to do to get their 30%?

    52. Re:Spoofing! by dave420 · · Score: 2

      But every single person who files a false insurance claim or pretends to be a better driver than they are is costing everyone else money. Every single one of them. You not being able to tell with a cursory glance doesn't change that...

    53. Re:Spoofing! by 0100010001010011 · · Score: 1

      It would actually be a perfect device for simulating the EPA test cycle. It would be a perfect way to sell it legally. The EPA cycle is "the" test for cars in the US so there are plenty of professionals that would love a tool. Some simulation software starts at $5k/license. (CANalyzer). No one says you have to sell your device with 'encryption' so that the EPA cycle would be replaced with whatever cycle you wanted.

      Or you could just do it with a cheap uC board these days. These guys are building a engine EFI controller with a $14 circuit board as the base. Even having to spoof their own messages With an ODB/CAN simulator you could easily

      And maybe someone would then finally make a legitimate cheap CAN/ODBBluetooth reader instead of clones of clones or a chip that is ages old to read data as well. USBCAN cables from good vendors start at $500 even though the functionality is built into a lot of new chips.

    54. Re:Spoofing! by Bob+the+Super+Hamste · · Score: 1

      I don't think I pay $1200 a year to insure all 3 vehicles in my household. It probably cost a little more than $1000, but $1200 a year for a single vehicle seems on the high side of things.

      --
      Time to offend someone
    55. Re:Spoofing! by ripvlan · · Score: 1

      StateFarm gave me one that ran on my mobile device (not OBD2) - simply using GPS etc.

      So I did a few laps of the track and gave them some data.

      Garbage in, garbage out.

    56. Re:Spoofing! by bws111 · · Score: 1

      Huh? They use their own accelerometers to measure acceleration, so your 'hills' scenario makes no sense.

      Do you know what the insurance companies care about? Risk. All they want to know is how likely you are to be in an accident. Therefore, contrary to your suggestion, they ARE taking into account things like the road surface. If you are 'weaving around pot-holes' and driving on poorly maintained roads you ARE more likely to be in an accident.

    57. Re:Spoofing! by mysidia · · Score: 1

      Most people don't want to become insurance experts or hope that their circle of friends is clued up enough to protect them.

      If not for government regulation, both explicitly in complicated arcane rules, and implicitly in the form of allowing ludicrous litigation, liability, and protecting unions, then the cost of both replacing the car and providing healthcare would be so low, that a year's worth of auto insurance would cost $100.

      Since it would cost about $2500 to buy a brand new SUV, and a week's stay in the hospital with all the medical attention required to address serious injuries from an accident would still be less than $3000. You could save up 4 years worth of premiums and stop buying any insurance..... thus creating a competitive downward pressure on insurance rates!

      In other words, regulations created by the government are indirectly raising costs by a factor of 20000%.

  2. Hello insurance fraud by Dan1701 · · Score: 5, Interesting

    The most obvious reason for an attack here is to commit insurance fraud. At present, an insurance company is forced to base an insurance premium on all the meta-data they can possibly gather about the prospective client, excepting their sex if they are in the EU (although this may well lead to a quite astonishing number of men called "Sue", if insurance companies attempt to bypass this and link first names to insurance risk).

    A data-gathering dongle would seem to offer a much better deal, allowing the company to charge more if the user indulges in risky behaviour of some description.

    A possible reason for hacking into the module would therefore be to falsify the data sent back to the company; a boy racer who regularly breaks speed limits, corners absurdly fast and brakes late if at all would gain substantially from a fraudulent data recording which portrayed him as someone with the driving habits of an octogenarian grandmother; such a person might also think that the gamble of sending such phoney data was well worth the savings when set against the fairly low risk of getting caught.

    It therefore worries me that companies are this lazy when building such equipment. It really doesn't take all that much to keep out the majority of crackers right from the start, and as the skilled ones are in the minority, taking a little care initially would pay dividends down the line.

    1. Re:Hello insurance fraud by msauve · · Score: 1

      Yes, this.

      Where's the proof of concept firmware which generates a fake, slightly randomized weekday round trips to work at speeds below the limit, and totally ignores real world driving?

      It seems to be mainly the interest of the insurance company to add security, not the user's.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:Hello insurance fraud by BarbaraHudson · · Score: 1

      There's a problem with that scheme. The fake dongle says you got from point A to point B in much more time than it took, right? So what happens if, at point B, you're in an accident? The fake dongle won't sent the right data for that, at the right time, and probably witnesses and the other driver will also give the right time (esp. if the other driver has a real dongle).

      Also, a car tends to sustain much more damage from a 60 mph impact than a 25 mph impact.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    3. Re:Hello insurance fraud by Mal-2 · · Score: 1

      There's a problem with that scheme. The fake dongle says you got from point A to point B in much more time than it took, right? So what happens if, at point B, you're in an accident? The fake dongle won't sent the right data for that, at the right time, and probably witnesses and the other driver will also give the right time (esp. if the other driver has a real dongle).

      Also, a car tends to sustain much more damage from a 60 mph impact than a 25 mph impact.

      You don't adjust the arrival time at point B, you adjust the departure time from point A.

      --
      How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
    4. Re:Hello insurance fraud by DarkOx · · Score: 1

      See the trouble with that is unless he can be sure, that in the event of an accident he is able to remove the device and conceal any evidence of tampering, at the scene he will be awful unhappy when they deny his claim and prosecute him for fraud.

      All the fancy computer security aside, they could probably just use one of those stickers that leaves 'void' behind when you pull it off applied by the agent across the device where it meets the ODBII/III connector.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    5. Re:Hello insurance fraud by BarbaraHudson · · Score: 1

      And the excess damage?

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    6. Re:Hello insurance fraud by Joe_Dragon · · Score: 1

      so will the agent be there for each Vehicle Emissions testing? each time you go to the dealer or some where for a check engine light?

      Be there for an 3rd party oil change
      http://www.mudah.my/BMW+OBD+II...

    7. Re:Hello insurance fraud by Anonymous Coward · · Score: 1

      The brick wall was accelerating rapidly.

    8. Re:Hello insurance fraud by turbidostato · · Score: 1

      "And the excess damage?"

      What excess damage? You (the insurance company) have the data, and here is my car. There's no "excess damage", just "damage".

      Do you think (the insurance company) that my accident should render less damage? That's not my problem, I'm neither a materials engineer, nor I designed my car.

      Do you think I commited fraud? Why do you think so? Maybe because you know your devices are easily hackable? Maybe I should sue you (the insurance company) for puting me at risk for your lack of due diligence.

    9. Re:Hello insurance fraud by AK+Marc · · Score: 2

      You don't expect to get caught. Also, you time your "fake" trips to be well off from your regular routine. The dongle will be sending back "parked in the garage" at the time of the crash. Then you just plug it in and claim it must have malfunctioned. Just because you are too dumb to fool someone else, doesn't mean we all are.

      --
      Learn to love Alaska
    10. Re:Hello insurance fraud by silas_moeckel · · Score: 2

      Or we can just ban these idiotic things, whats next health insurance companies stapling pedometer's onto people get a lower rate?

      Insurance is supposed to be about aggregating risk, the problem is the lower end of the risk pool is paying more then the out of pocket they could expect and leave the pool if they can. Auto insurance is harder to leave you have to drive (if you want to live outside an urban envirnment) and it's not optional.

      --
      No sir I dont like it.
    11. Re:Hello insurance fraud by sjames · · Score: 1

      There would be limits, but it could do things like changing wide open throttle to accelerate to speed in 2 seconds into moderate throttle to come to speed in 4 seconds.

      As long as you don't diverge too far from reality, the rest can be explained well enough by inaccuracy in the hardware. In some places GPS gets really inaccurate normally.

      I'm not saying it's a good idea, just that it's close enough that there will be people trying it.

    12. Re:Hello insurance fraud by Bing+Tsher+E · · Score: 3, Interesting

      whats next health insurance companies stapling pedometer's onto people get a lower rate?

      You don't think those bluetooth 'fitness monitors' that are popping up in the market won't eventually be used to 'provide insurance customers with more preferable rates' if they wear one connected to an Insurance Companies database?

      Citizen! We are all in this together. We all pay for each others' healthcare. It in in all of our interests for EVERY citizen to live an optimally healthy lifestyle.

    13. Re:Hello insurance fraud by beelsebob · · Score: 2

      "And the excess damage?"

      What excess damage? You (the insurance company) have the data, and here is my car. There's no "excess damage", just "damage".

      Do you think (the insurance company) that my accident should render less damage? That's not my problem, I'm neither a materials engineer, nor I designed my car.

      Do you think I commited fraud? Why do you think so? Maybe because you know your devices are easily hackable? Maybe I should sue you (the insurance company) for puting me at risk for your lack of due diligence.

      Yes the insurer absolutely will think you committed fraud. Then their very first step will be to ask the police for an accident report. The police will then report that the skid marks indicate that the car must have been travelling at at least 50mph, not the 20mph indicated by the dongle.

      Believe me, when that is put in front of a judge, your "putting you at risk" charge is going to be thrown out, and their fraud charge is going to hit you square between the eyes.

    14. Re:Hello insurance fraud by silfen · · Score: 1

      It therefore worries me that companies are this lazy when building such equipment

      Among all the areas in daily life where companies can hurt me through weak security, this is way down on the list.

      My first concern? Probably that US banks and credit card companies should start using smart chips, two factor authentication, and reliable notification, all of which are easy to do and widely used elsewhere.

    15. Re:Hello insurance fraud by DarkOx · · Score: 1

      The vast vast majority of municipalities and vehicles are not subject to emissions testing. So for most people it won't be an issue, except when if diagnostics are needed.

      Most mechanics are already pretty used to applying stickers etc, where states/counties require safety inspections, if customers want the convenience I am sure the major insurers can mail these folks a roll of stickers they can reapply; under threat of not being able to obtain additional stickers and inconveniencing their customers if they don't handle the stickers properly.

      Everyone else just gets a weeks grace period or whatever to swing by their local branch office and get their agent to apply a new sticker.

      I am not saying its a great solution but probably more workable than you think.

      Finally maybe the devices could be designed to offer a pass through so you can connect an additional ODBII devices, the device could just proxy the commands and responses, maybe the state would not allow if for emissions tests, but your mechanic could still get his diagnostic info.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    16. Re:Hello insurance fraud by Gilgaron · · Score: 1

      I'm not joking: they gave us pedometers at work to get a lower rate on our health insurance. It is optional, of course. You can look it up, they're using Virgin Pulse, I imagine there are many others. You get even more discount if you make up meal plans and on and on.

    17. Re:Hello insurance fraud by Culture20 · · Score: 1

      The problem with such a program is that the insurance company has the data from other dongles on the same roads. Presuming there are timestamps on the accelerations, they can model traffic flows. If everyone is stopped at a stoplight in the reconstructed model but your fake data shows you driving through the light at speed limit minus one, their analysis program will know something is wrong with your data. Investigation ensues.

    18. Re:Hello insurance fraud by msauve · · Score: 1

      You think a company who doesn't bother with even simple security is going to do that?

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    19. Re:Hello insurance fraud by ruir · · Score: 1

      Can your dog walk your pedometer around home?

    20. Re:Hello insurance fraud by turbidostato · · Score: 1

      "the insurer absolutely will think you committed fraud"

      Absolutly yes, of course. Heck! they probably default to think there's a fraud even if lacking any evidence.

      A very different thing is for them to *demonstrate* there's a fraud or, at least, being a civil case, that it heavily smells like fraud.

      "The police will then report that the skid marks indicate that the car must have been travelling at at least 50mph, not the 20mph indicated by the dongle."

      And the insured will claim that his coverage is bound to the dongle as per the contract since his anual bill is also bound to it. So, on one hand, the insured will claim the real-time measures from the dongle are correct and, on the other, that even if they are wrong, his coverage and liabilities are bound to the dongle as per contract.

    21. Re:Hello insurance fraud by Gilgaron · · Score: 1

      I think that would work, but it'd be even better to put it on one of the kids. They'd take more steps and at least they're on the health plan...

    22. Re:Hello insurance fraud by Cramer · · Score: 1

      This assumes a "black box" in every car, they all have sync'd atomic clocks, and they're recording data like an F1 on-board telemetry recorder. (all three are not true, btw.)

    23. Re:Hello insurance fraud by strikethree · · Score: 1

      A possible reason for hacking into the module would therefore be to falsify the data sent back to the company; a boy racer who regularly breaks speed limits, corners absurdly fast and brakes late if at all would gain substantially from a fraudulent data recording which portrayed him as someone with the driving habits of an octogenarian grandmother

      This is one of the things that annoys the hell out of me. Speed, in and of itself, does NOT cause accidents. That boy racer type may be avoiding accidents (except when he is racing, where the goal is to win, not drive safely) and the octogenarian may in fact be causing numerous accidents by changing lanes at slow speed in front of faster moving traffic.

      A dongle will NOT tell you what is going on around the car. Generally speaking, you should be going slightly faster or slightly slow than traffic around you. This keeps traffic flowing smoothly. Move out of the way if someone appears to be going faster than you. Do not tailgate if someone is going slower than you... of course, expecting cooperation will surely lead to disappointment so all you can do is try to follow the two rules above as best you can and take a zen approach when others choose not to cooperate.

      Regardless, there is no single set of traits that can be measured through ODB II that will indicate whether or not a person is a good driver or a bad driver.

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
  3. Who would ride with these dongles anyway? by Anonymous Coward · · Score: 1

    Seems like a massive invasion of privacy and a potential big gotcha to raise rates or deny payouts in certain instances.

    Technically, I speed 90% of the time. But it's appropriate speed for the road and my driving 22 years no without an accident attests to that. Should be good enough for the insurance company.

    Even if you could put these dongles in a makeshift faraday cage, afraid the insurance will refuse to pay out one day if it's not plugged in and reading data.

    As it is now, I think they are more to collect marketing data to sell to other companies. They have your private info, and now where you exactly go to? Sounds like a marketers wet dream.

    1. Re:Who would ride with these dongles anyway? by mrchaotica · · Score: 1

      In some areas, literally 100% of drivers are speeding. Does that mean they're all selfish assholes, or does it mean the speed limit is too low?

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    2. Re:Who would ride with these dongles anyway? by Bing+Tsher+E · · Score: 1

      In my experience, both. But I live in a pretty dirtbag part of the country. People are REALLY into their cars here.

    3. Re:Who would ride with these dongles anyway? by petermgreen · · Score: 1

      Who would ride with these dongles anyway?

      Desperate teenagers who are priced out from getting insurance any other way!

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  4. Time for the Ransomware by RichMan · · Score: 3, Insightful

    If you want to drive your car again, send $500 to .... until then the ignition is locked.

    1. Re:Time for the Ransomware by rmdingler · · Score: 2

      Is there any room to name one's own counteroffer with the price gun?

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    2. Re:Time for the Ransomware by wierd_w · · Score: 1

      except that the firmware in the ignition control system of the vehicle is written on actual PROM chips, not EEPROM chips, because they have to operate in a hazardous environment. (Temperature extremes, moisture intrusion, dirt, corrosion, etc.) Voltage spikes from slowly decaying wiring, or other sources of irregularity can damage an EEPROM's contents, where a PROM will just burp a little, then be fine after the irregularity. (assuming it isnt a very large spike that can kill silicon anyway)

      This means that the ODB2 interface (the little connector under the dash) can at best, only be used to circumvent proper engine function when another device is attached to the bus that has such programmability.

      There most certainly ARE such devices on the market, such as the lojack type devices used to prevent vehicle theft on vehicles that arent paid off, etc-- used by used car lots and the like, but these are purposefully installed in a fashion that makes physical removal of the device difficult without the correct tools/equipment. The vehicle runs just fine without such devices attached.

      In the case of one of these really shitty dongles, physical removal of the dongle should suffice. The vehicle would then operate with no outside manipulation of its ignition control system. They try ransoming the vehicle, just pull the dongle.

      The bigger concern is possible malicious actions, such as "Murder by remote" type situations. The vehicle has such an exploitable device (with its lack of challenges against the network it is communicating with), and a murderer chooses to exploit this to make the ignition control system refuse to fire any of the spark plugs, or to drive any of the fuel injectors. The vehicle stalls while driving 70mph (or faster) on a crowded highway during a lane-change, or while passing. Perhaps the antilock brakes (automatic skid control systems have control over braking) are exploited, and the brakes on one side of the vehicle slam down while doing said 70mph, and the vehicle spins out of control or flips over.

      Considering that there is absolutely NO protection here, (No challenge/response, no encryption, no verification of remote network authenticity, etc.) there is definitely room in the criminal underworld for such a remote exploit. Professional hitmen, (and government agencies) would love such a toy.

      I mention this possible application, because the obvious one of insurance fraud has already been brought up a few times.

      Still, the solution is the same. Physical removal of the dongle solves all the problems.

    3. Re:Time for the Ransomware by Minupla · · Score: 4, Insightful

      Just as a point of interest, there was a talk at Defcon last year where someone built a IPS (intrusion prevention system) for the bus of the car. It turns out that the communication matrix for a car is a very static system. The parts of a car that communicate with each other do so often (e.g. Engine controller and injection system), and predictably. Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do. So it's possible to build a device that models the system by listening on the bus and if it suddenly sees new traffic patterns shorts out the bus, leaving you with a less smart, but still on 4 wheels and not careening into oncoming traffic, car.

      Seems like something the OEMs should be looking into.

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    4. Re:Time for the Ransomware by wierd_w · · Score: 3, Interesting

      No need to do such extreme damage, when the same effect can be achieved with a simple fuse on the positive voltage line of the port. Suspicious activity? Burn the fuse-- BAM-- port is dead, but easily fixed.

      However, this would require a "smart" component inside the dash, between the actual ignition control system/ACS system, and the ODBII port interface. Such a device would need to have a reference pattern to check current communications against, and would need some level of processing capacity to compare realtime engine diagnostic data and bus activity against the reference. (Does not need to be fancy here, but this does imply the ability to program a new reference pattern later, especially if the system is fully adaptive to changing engine conditions over time.)

      This then places some significant implementation considerations on the vehicle manufacturer-- this device has to somehow be able to be field-reset at a dealership if it gets confused after having the engine serviced, and also needs to have nothing but read-only access to the engine's control system. The only thing it should have "write" access to should be the fuse. (And maybe an indicator lamp)

      However, given the less than spectacular implementations of integrated devices in modern vehicles (in terms of security, and security oriented design/implementation) I question if such a device would be properly implemented.

      I get the sneaky suspicion that the automaker would be ... "tempted" ... by dealerships and other retailers in the market to integrate lojack functionalty into the security device, thus making it itself into the target of exploits. (Otherwise, the purposeful activation of the intrusion failsafe would render actual lojacks incapable of stopping cars, by disabling the communication bus. This means removing the fuse would essentially disable such countermeasures.) This would then make "remove the dongle" no longer an option.

      When presented with a choice between "properly implemented security" and "Pressure from their customers" (Auto manufacturers RARELY, if ever, sell directly to the public. THEIR customers are the dealerships.) , I expect automakers will choose to placate their customers every single time.

    5. Re:Time for the Ransomware by Lumpy · · Score: 1

      I can rewrite the OS in my ECM and BCM at any time they are EEPROMS and FLASH not PROMS.

      Maybe back in 1988 they were PROMS, today's cars are field programmable, Hell BMW's have been field programmable since the 90's.

        I've been hacking on cars for hotrodding for 20 years and ALL OF THEM have been easily modified for decades. Up to 1998 you had solidified chips but the Advent of ODB-II had field programmability very VERY common.

      --
      Do not look at laser with remaining good eye.
    6. Re:Time for the Ransomware by Minupla · · Score: 1

      No need to do such extreme damage, when the same effect can be achieved with a simple fuse on the positive voltage line of the port. Suspicious activity? Burn the fuse-- BAM-- port is dead, but easily fixed.

      Doesn't protect against other attack avenues that have either been hypothoized or demo'd though. The entertainment unit always seems popular. Trojaned CD in the player, for example or exploit against the bluetooth system. Hey I wonder what happens to that cute bit of software that displays what song the FM station is playing if the station sends YourPawnedxxxxxxxxxx....?

      I'm not sure most of the security sector put it together that someone might voluntarily install their own remotely exploitable device into the bus in sufficient numbers to be interesting. Guess we should know better then to underestimate the power of a discount!

      (I do agree with the rest of your post btw.)

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    7. Re:Time for the Ransomware by wierd_w · · Score: 2

      That's unfortunate... I can see why it would be desirable by the manufacturer and dealer, (as it would enable quite a few shady practices by both), but I question how stable EEPROM is compared to PROM in the hazardous environment under the hood or dash. (I know some modern systems are installed under the center console between the front seats, and some are installed under the passenger or driver seat, but this is still a problematical location in terms of operating environment. Still has large fluctuations in ambient temperature and issues with moisture and corrosion.)

      I have seen ODBII dongles made specifically for hotrodding that contain new fuel mix tables and timing data for the ignition control system, but havent really seen kits to completely re-flash the ICS's computer.

      Guess you learn something new every day.

    8. Re:Time for the Ransomware by mjwx · · Score: 1

      Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do.

      Most systems will have some kind of physical security, the entertainment system wont be able to communicate with the AWD system. Engineers are pretty bright and know that if you could issue a command from the bluetooth on the stereo to send 80% of the power to the back right wheel at highway speeds it would be a very bad thing.

      However the ransomware doesn't need to be deadly, it just needs to be annoying. So the weaker systems like the infotainment unit are prime targets... I.E. pay us $500 or we'll leave Shake It Off on repeat.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    9. Re:Time for the Ransomware by tibit · · Score: 1

      how stable EEPROM is compared to PROM

      Electrically-programmable fused PROMs suffer from bit rot and simply are not made anymore. I hate the damn things with a passion, they are one of the causes of good legacy test equipment turning getting bricked. The legacy OTP EPROMs require high voltage for programming and the only concern with them is slow charge decay. These days, it's FLASH all the way.

      Alas, you're making up imaginary problems. Every high-rel firmware-based system will not only verify the integrity of the firmware upon boot-up, but continuously during operation. I mean, heck, we're not even talking about the cars here - my washer and dryer are both running continuous firmware CRCs in the background, all the time, as well as RAM integrity and plausibility checks.

      Never mind that the inside of an ECU module is quite isolated from exterior noise. Every circuit going through the box has extensive filtering and surge protection. The logic supply voltages will be within spec all the while the battery voltage swings every which way (think of a range from single volts to a hundred or two).

      --
      A successful API design takes a mixture of software design and pedagogy.
    10. Re:Time for the Ransomware by Lumpy · · Score: 1

      It's not as filtered as you think. A single shorted sensor can and does cause other problems in car ECM's. BMW E30 ECM if the oil level sensor shorts out will cause other sensors to read as failures as well as power brown outs tot he processor causing major issues.

      Car electronics are only built a step up from consumer electronics nowdays. It's quite a joke as to how crappy the engineering in all the electronics in a car are.

      --
      Do not look at laser with remaining good eye.
    11. Re:Time for the Ransomware by Lumpy · · Score: 1

      Older cars the Spark and fuel tables WERE a part of the firmware, in fact every time I flashed a new EEPROM for the 7730 ECM I rewrote the whole thing. I even went as far as used a larger EEPROM and tied the highest Address line to a switch so I could write multiple copies with different tables in the single EEPROM and flip a switch on the fly to go from street driving for smooth and decent gas mileage, to racing with aggressive spark tables and dumping in fuel like a banshee. the CPU in the 7730 did not even know I switched anything if done at idle. I even added features like intercooler spray activation that the ECM never supported.

      Todays cars, the software is written horribly so they need to do updates. BMW updated the entire firmware package to my Transmission twice.

      --
      Do not look at laser with remaining good eye.
    12. Re:Time for the Ransomware by tibit · · Score: 1

      I think that the part of the issue is that there's really not all that much standardization that has force of law when it comes to ECUs. It's sad to see that they use an ECM that has such silly issues.

      --
      A successful API design takes a mixture of software design and pedagogy.
    13. Re:Time for the Ransomware by Minupla · · Score: 1

      Sadly the relevant research shows that while you would like this to be the case, it isn't.

      If you'd like to know more, look at the defcon conference videos for the last few years.

      Just as a for example, I'll direct you to this article:

      http://www.nytimes.com/2011/03...

      There was also a talk this last year that went into the architectural design of the car's network, and showed that in most cases there was no device between the head end unit and the sensitive items in a car, and where there was it wasn't a security device, merely a signal management unit, and the presenter expected to be able to jump it. But again, typically if you get access to the bus, you can talk to anything you want. There was also a lovely bonus bit where they showed you could update the to an arbitrary unsigned firmware due to some sloppiness in the process. (if you cut the power at the right time, the recovery process didn't do the appropriate checks. Once they got in and could analyze the python scripts being used, they discovered if you wrote a specific character (I think D but my memory could be playing tricks on me) to the right sector of the CD, it would bypass the signature checks and just update the firmware.

      Engineers are generally smart, but they also tend to design to the specifications. If you don't TELL them to consider an attacker in their designs, they don't.

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  5. Nerds gonna have perfect driving habits by vpness · · Score: 1, Flamebait

    In other news, nerds flock to progressive insurance and claim safe driving styles resulting in the lowest possible insurance rates. Progressive in press release say 'we hypothesize it's because nerds don't party or stay out late'

    1. Re:Nerds gonna have perfect driving habits by PopeRatzo · · Score: 2

      Progressive in press release say 'we hypothesize it's because nerds don't party or stay out late'

      Nonsense, I've been to board game parties where 6 of us went through almost a whole quart of 3.2 beer. We rocked the house until almost 10:30pm. I mean, it was a work night after all and I had to get home to watch the DOTA2 quarterfinals on Twitch.tv.

      --
      You are welcome on my lawn.
  6. Re:Is it really a surprise? by rudy_wayne · · Score: 2, Insightful

    That most people don't give a damn about security "because it is hard"?

    Actually, security is not hard. But, security done properly requires you to commit substantial resources -- people, time, money. And that cuts into profits, so most most companies are not interested.

  7. Re:Is it really a surprise? by Culture20 · · Score: 1

    Some companies will happily spend money and people on the security problem, but individual people within the company refuse the spend the time, using workarounds to skip having to deal with security. Sometimes this means using the computing resources nonsecurely, but other times it means avoiding using the computing resources.

  8. Re:The Myth of Tamiflu: 5 Things You Should Know by Black+Parrot · · Score: 1

    But will a wearing a dongle help?

    --
    Sheesh, evil *and* a jerk. -- Jade
  9. Re:Is it really a surprise? by Darinbob · · Score: 1

    Adding security features gets in the way of the primary goal, which is to sell the product to unsuspecting companies.

  10. onStar? by Black+Parrot · · Score: 1

    What do we know about the security of systems such as onStar?

    --
    Sheesh, evil *and* a jerk. -- Jade
    1. Re:onStar? by DigitAl56K · · Score: 5, Insightful

      That's a very valid point, but let's not pretend that you couldn't have the benefits of OnStar without most of the nasty privacy issues. A limit on data retention, clear indication when the device is listening in, and not selling subscriber data to the government would resolve a lot of the criticism.

    2. Re:onStar? by Solandri · · Score: 1

      and not selling subscriber data to the government

      I've wondered, what's to stop them from collect that data even if you're not a subscriber?

  11. Re: The Myth of Tamiflu: 5 Things You Should Know by sjames · · Score: 1

    It can cause psychiatric symptoms in some...

  12. Privacy vs Security by MrKaos · · Score: 2
    Whilst it's a little twist on Franklin's words it is appropriate. People who give up their vehicle data privacy for lower cost insurance premiums in time will for premiums up for people who choose not to use one of these dongles.

    I'm glad the insurance companies are so lax with those peoples security as to make them a target for crackers. It shows they are subject to the same type of contempt the insurance companies demonstrated in the first place. People too insular to be concerned deserve to be subject to every exploit there is.

    --
    My ism, it's full of beliefs.
  13. Direct connect by jklovanc · · Score: 2

    From the article.

    By hooking up his laptop directly to the device he says he would have been able to unlock doors, start the car and gather engine information, but he chose not to “weaponise” his exploits

    SO only direct connect has been proven.

    The researcher noted that for a remote attack to take place, the concomitant u-blox modem, which handles the connection between Progressive’s servers and the dongle, would have to be compromised too. Such systems have been exploited in the past, as noted in a paper here from Ralf-Philipp Weinmann, from the University of Luxembourg.

    Remote access has only been shown by similar systems.

    Call me when you can actually show a remote exploit through the dongle.

    1. Re:Direct connect by tibit · · Score: 1

      The problem is that you have a system that's not inherently safe - it merely rides on the unproven safety of one single component. A resilient system would have many barriers that you have to break down in order to gain access. This one has just one. For all we know, it has already been broken.

      --
      A successful API design takes a mixture of software design and pedagogy.
    2. Re:Direct connect by strikethree · · Score: 1

      Call me when you can actually show a remote exploit through the dongle.

      By then, it will be too late. Why is it that people so blithely ignore someone who points out that going in the wrong direction is liable to lead to all sorts of nastiness?

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
    3. Re:Direct connect by jklovanc · · Score: 1

      So bypass the hard parts by soldering into the circuits and then say the device is insecure. We have no idea how many layers they bypassed. This is like entering the bank, shutting off the alarm with the code, opening the vault door with the combination, drilling a few safety deposit boxes and then saying safety deposit boxes in banks are insecure.

      If you need physical access to the dongle it is not a true exploit of the dongle.

  14. Seriously by nospam007 · · Score: 1

    I had a client who actually bought holy Mary anti-virus stickers to put on the outside of the computer.

  15. It's a gamble by swb · · Score: 1

    It's a gamble between two opposing forces of insurance:

    1) On one hand, insurance companies are bureaucracies and handling claims is a bureaucratic process with a certain amount of inertia, where obvious fraud needs to be caught but time/people/resources don't exist to fine-grain protect against all possible marginal fraud, otherwise the system would grind to a halt. A tracking device with a minor deviation from observed damaged may just get written off as the strangeness of physicals or the brittleness of plastic cars -- I mean, we have the data, right?

    2) On the other hand, IMHO, the insurance company is almost in the primary business not of supplying insurance or processing claims, but in DENYING claims. Insurance fraud is a huge risk, the more claims they can deny the more money they make and they have deep and long-term investments in actuarial data and statistics. They may already have enough tracking device data in their databases to *know* that your physical damage doesn't align with the tracking data.

  16. Re:Is it really a surprise? by tibit · · Score: 1

    It's not hard, it's simply not part of the usual product specs. The device is supposed to do stuff, that's the primary thrust when doing the development. The mindset of the entire industry must change before we start expecting things to be secure but otherwise buggy first, not - as it is now - functionally perfect but insecure.

    --
    A successful API design takes a mixture of software design and pedagogy.
  17. Re:And Allstate/State Farm are making them Mandato by PPH · · Score: 1

    Wow. I wonder what I'd do if my State Farm agent pulls this stunt on me. My cars predate OBD II or any other diagnostic ports by a few decades.

    I'd be happy to put them in the ashtray or something.

    --
    Have gnu, will travel.
  18. OBD II Condom by PPH · · Score: 1

    There might be a market for a defice that can be placed between any such 'required' dongles and a vehicle's actual systems. Something that can pass certain data in only one direction (read-only vehicle parameters) and block requests (and spoof handshake signals) should dongle attempt to make an unwanted request of the vehicle's systems.

    I can also see a market for such a device where emissions tests are done by reading the data port. Just tell the port filter to always reply with an 'all is well' code.

    --
    Have gnu, will travel.
  19. Wrap it in a mylar bag or aluminum foil. by Virtucon · · Score: 1

    If you're worried about it, solve the problem at the communications layer. Wrap the dongle in such a way that it can't transmit or receive data. "What you're not getting the data? Wow that's strange. I have it plugged in." Either that or find another insurance company that doesn't track you. The fact that you've allowed a device to track you in the first place means that you've exposed yourself to risks, some overt such as your lead footed behavior is know a known quantity and inadvertent in terms of a hacker potentially changing your ECM or some other system in your car. What we need are stronger privacy protection laws as well as some insurance reform that says your rates are based on what you drive, how much you drive and your driving record. Every time you have somebody do an oil change, that information is sold and mined (Carfax etc.) so Insurance companies can verify mileage and tickets/accidents are all a matter of public record. Therefore there's no need for this kind of tech.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  20. Re:And Allstate/State Farm are making them Mandato by Bob+the+Super+Hamste · · Score: 1

    I'd tell them they can install it on my vehicle and let them sort out a positive ground pre-emissions little british roadster. Of course the Lucas Electric components may let magic smoke out of their device but it wouldn't be my problem.

    --
    Time to offend someone
  21. Am I missing something? by ripvlan · · Score: 1

    It is nice to know that these security hole exist. Others have pointed out how these might be ... put to use.

    I found the article lacking. Here's what I'm missing - nowhere in the article did I gain an understanding of the feasibility of attacking this system. We've elsewhere seen people unlocking cars from the outside (either breaking a window and using the port or wirelessly). Breaking the glass is just that - Break Glass and people would notice.

    Having to unplug this device and write new firmware isn't really a hack. Yes - it would be nice if these things had security codes stamped into them for access to the mothership. Still - from outside the car how do I attack this thing? How do I take over this thing and make use of it?

    I'm sure there's a way, I'm just not getting a feeling of the priority here. I won't signup for these devices because of the big brother aspect. Shaming the companies for low security is fun. And there are hypothetical attacks on the cell system. But how serious is this? What is my attack surface right now?

  22. Re:Is it really a surprise? by mysidia · · Score: 1

    other times it means avoiding using the computing resources.

    Or using different resources... such as Dropbox for file sharing, instead of file server and VPN client.

  23. Re:Is it really a surprise? by mlts · · Score: 1

    Even more ironic, proper security isn't really that hard or expensive. Most of the tools are already sitting there ready to be used, and tools like SolarWinds, Splunk, and adding IDS/IPS functionality to network devices is not budget busting. Heck, just SCOM alerts about the attempts at brute-forcing domain users sent to the right people's email would have stopped the Sony attack in its tracks.