Insurance Company Dongles Don't Offer Much Assurance Against Hacking

According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle: It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. ... He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies basically it uses no security technologies whatsoever.”

Spoofing!

I've long thought there could be a really lucrative market for OBD2 spoofers. Instead of plugging the dongle directly into your car, plug it into a middle-man that feeds it the "happiest" possible data to make it think your driving is perfect. There is no authentication in the OBD2 protocol so there is no way for the dongle to tell the difference between a real OBD2 data feed and a spoofed one.

Re:Spoofing!

I've long thought there could be a really lucrative market for OBD2 spoofers.

Okay, so there's a market for insurance fraud hardware devices? Are you planning to sell these on this week's reboot of the Silk Road?

BTW, there's better money to be made if you're willing to commit fraud or other felonies. I say skip the penny ante bullshit and go for credit card fraud. Most of those people get away with it because the issuing banks don't give a fuck due to sticking the merchants with the costs.

HTH.

Protip: not everything having to do with computers or electronic hardware needs a new "...on a computer" law in order to render it illegal. You may have confused this with the issuance of patents, where the addition of a computer algorithm is always considered a groundshaking breakthrough and worthy of allowing someone to rent seek over real innovators. No worries, this is a common misunderstanding. Have a nice day!

Re:Spoofing!

[mjwx]

I'd think there'd also be money to be made with something similar which produced good readiness values whenever polled by the inspection station (in locations which require that).

This is the reason MOT tests still require the mechanic to look at the car instead of trusting the computer readouts.

Re:Spoofing!

[wiredlogic]

Some are GPS enabled now which allows cross-correlation with the speedometer and internal accelerometer readings to detect fraud. Granted, you could cage the dongle and let them think it couldn't get a GPS fix from its position under the dash. A spoofer would also need it's own accelerometer to generate believable data under acceleration and braking.

Re:Spoofing!

[turbidostato]

"So, how can you tell by simply looking whether the catalytic converter is working properly?"

A "mechanic to look" is not just "simply looking". By measuring gases at the exhaust pipe you can know about the catalytic converter's health.

Re:Spoofing!

[AK+Marc]

I've seen cars tuned to pass emissions with the cat removed. They ran like shit, but you could make them run long enough to "fool" the required tests. It's also not illegal to fool the tests. You can tune a car for the test, test it, then modify it (or swap out "illegal" parts for "legal" ones, test, then put them back). I had that "officially" recommended to me when my mod passed emissions, but didn't pass the visual test. The visual test is performed by Alaska to verify any modifications are approved by California, and is unrelated to the performance of the parts. If you can pass the emissions test, you'll fail if your part makers didn't pay the CARB tax.

Re:Spoofing!

[ISoldat53]

I would love to put one of these on a NASCAR car and watch Flo have a stroke.

Re:Spoofing!

[Lumpy]

It is trivial. I can build one with an arduino in 10 minutes. Build one that sits in between so that all the good data is there but it limits the data to acceptable levels so it all looks legit.

Re:Spoofing!

[AK+Marc]

yeah, it's called "gasoline".

And they don't work. If you are running rich, you need an oxygenation. If you are running lean, you need an octane booster. They are nearly opposite, so you don't get both in one. So you need to know the problem before you toss in an additive.

Re:Spoofing!

[danlip]

You think it's possible to implement a "new economic structure" that doesn't favor those with wealth and power more that the current one? The only people interested in a level playing field are those not at the top.

Re:Spoofing!

[mjwx]

No you can't, not completely.

Actually you can. Simple off the shelf units like this one measures all the gasses MOT test for. You dont exactly need a mass spectrometer to get an accurate CO2 reading.

Why do you think OBD monitoring is required,

Its not. Why do you think it's required or better yet, why do you think it's accurate?

if everything can be checked through simple inspection?

The MOT test is not a simple inspection. Its not the 14 point inspection the tyre shop uses to entice gullible people in so they can up sell you on crap you dont need. It test all the essential components of the vehicle from the lighting to the steering to rust on the body.

Re:Spoofing!

[KingMotley]

Perhaps it was perceived, but they determined that the market of people willing to face fines and possible imprisonment so that they can save $10 in their insurance wasn't big enough to warrant the expense of building all that extra security in.

Re:Spoofing!

[sjames]

You better watch that talk about spoofing people's dongles. We don't want another scandal.

Re:Spoofing!

[TheRaven64]

Just to clarify, your question is:

A device can run arbitrary malicious code and is connected to a physical link to your car, to a system that has physical links to your engine management system, and was not written with security in mind, what's the worst that can happen?

Re:Spoofing!

[AmiMoJo]

The merits would be a more level playing field and upward mobility, and quality of life

I really doubt that. What will happen is the scammers will get rich, much as they do now but on a much larger scale. It's already possible to sell a complete POS simply by advertising the hell out of it, and removing regulations on advertising would just make the situation worse.

Quality of life will plummet as people get screwed by dodgy healthcare contracts or people polluting their environment. They could sue of course, but who has the money for that? Prices will probably sky-rocket as well, since the moment you get rid of all the regulations and restrictions other countries will raise their tariffs to compensate. Free trade is only possible when the two sides have broadly similar costs. If US workers are cheap because they have no rights or protections, the EU will slap duty on US cars being exported to it so they don't undercut European manufacturers.

Re:Spoofing!

[AmiMoJo]

Not all manufacturers build their cars that. Some have an OBD-II bridge between the port and the main bus that makes the port read only except for a few very specific commands like resetting error codes. That's why if you look at those videos of people hacking a Prius on YouTube they have dismantled the entire dashboard. They had to get to the segmented parts of the bus, the diagnostic port was not enough to screw with anything interesting.

Re:Spoofing!

[Pascoea]

savings

That's a funny joke. I tried the snapshot. What a fucking joke. Three cars: Me, 20 mile daily rush hour commute. Wife, 15 mile "off peak" daily commute. Daughter, car literally sat in the driveway for the three months, with the exception of 2 trips from Minneapolis to Fargo and an occasional trip to the gas station around the corner. Me: 0% (ok, I expected that.) Wife: 3%, daughter 3%. Seriously? What do you have to do to get their 30%?

Re:Spoofing!

[dave420]

But every single person who files a false insurance claim or pretends to be a better driver than they are is costing everyone else money. Every single one of them. You not being able to tell with a cursory glance doesn't change that...

Hello insurance fraud

[Dan1701]

The most obvious reason for an attack here is to commit insurance fraud. At present, an insurance company is forced to base an insurance premium on all the meta-data they can possibly gather about the prospective client, excepting their sex if they are in the EU (although this may well lead to a quite astonishing number of men called "Sue", if insurance companies attempt to bypass this and link first names to insurance risk).

A data-gathering dongle would seem to offer a much better deal, allowing the company to charge more if the user indulges in risky behaviour of some description.

A possible reason for hacking into the module would therefore be to falsify the data sent back to the company; a boy racer who regularly breaks speed limits, corners absurdly fast and brakes late if at all would gain substantially from a fraudulent data recording which portrayed him as someone with the driving habits of an octogenarian grandmother; such a person might also think that the gamble of sending such phoney data was well worth the savings when set against the fairly low risk of getting caught.

It therefore worries me that companies are this lazy when building such equipment. It really doesn't take all that much to keep out the majority of crackers right from the start, and as the skilled ones are in the minority, taking a little care initially would pay dividends down the line.

Re:Hello insurance fraud

[AK+Marc]

You don't expect to get caught. Also, you time your "fake" trips to be well off from your regular routine. The dongle will be sending back "parked in the garage" at the time of the crash. Then you just plug it in and claim it must have malfunctioned. Just because you are too dumb to fool someone else, doesn't mean we all are.

Re:Hello insurance fraud

[silas_moeckel]

Or we can just ban these idiotic things, whats next health insurance companies stapling pedometer's onto people get a lower rate?

Insurance is supposed to be about aggregating risk, the problem is the lower end of the risk pool is paying more then the out of pocket they could expect and leave the pool if they can. Auto insurance is harder to leave you have to drive (if you want to live outside an urban envirnment) and it's not optional.

Re:Hello insurance fraud

[Bing+Tsher+E]

whats next health insurance companies stapling pedometer's onto people get a lower rate?

You don't think those bluetooth 'fitness monitors' that are popping up in the market won't eventually be used to 'provide insurance customers with more preferable rates' if they wear one connected to an Insurance Companies database?

Citizen! We are all in this together. We all pay for each others' healthcare. It in in all of our interests for EVERY citizen to live an optimally healthy lifestyle.

Re:Hello insurance fraud

[beelsebob]

"And the excess damage?"

What excess damage? You (the insurance company) have the data, and here is my car. There's no "excess damage", just "damage".

Do you think (the insurance company) that my accident should render less damage? That's not my problem, I'm neither a materials engineer, nor I designed my car.

Do you think I commited fraud? Why do you think so? Maybe because you know your devices are easily hackable? Maybe I should sue you (the insurance company) for puting me at risk for your lack of due diligence.

Yes the insurer absolutely will think you committed fraud. Then their very first step will be to ask the police for an accident report. The police will then report that the skid marks indicate that the car must have been travelling at at least 50mph, not the 20mph indicated by the dongle.

Believe me, when that is put in front of a judge, your "putting you at risk" charge is going to be thrown out, and their fraud charge is going to hit you square between the eyes.

Time for the Ransomware

[RichMan]

If you want to drive your car again, send $500 to .... until then the ignition is locked.

Re:Time for the Ransomware

[rmdingler]

Is there any room to name one's own counteroffer with the price gun?

Re:Time for the Ransomware

[Minupla]

Just as a point of interest, there was a talk at Defcon last year where someone built a IPS (intrusion prevention system) for the bus of the car. It turns out that the communication matrix for a car is a very static system. The parts of a car that communicate with each other do so often (e.g. Engine controller and injection system), and predictably. Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do. So it's possible to build a device that models the system by listening on the bus and if it suddenly sees new traffic patterns shorts out the bus, leaving you with a less smart, but still on 4 wheels and not careening into oncoming traffic, car.

Seems like something the OEMs should be looking into.

Min

Re:Time for the Ransomware

[wierd_w]

No need to do such extreme damage, when the same effect can be achieved with a simple fuse on the positive voltage line of the port. Suspicious activity? Burn the fuse-- BAM-- port is dead, but easily fixed.

However, this would require a "smart" component inside the dash, between the actual ignition control system/ACS system, and the ODBII port interface. Such a device would need to have a reference pattern to check current communications against, and would need some level of processing capacity to compare realtime engine diagnostic data and bus activity against the reference. (Does not need to be fancy here, but this does imply the ability to program a new reference pattern later, especially if the system is fully adaptive to changing engine conditions over time.)

This then places some significant implementation considerations on the vehicle manufacturer-- this device has to somehow be able to be field-reset at a dealership if it gets confused after having the engine serviced, and also needs to have nothing but read-only access to the engine's control system. The only thing it should have "write" access to should be the fuse. (And maybe an indicator lamp)

However, given the less than spectacular implementations of integrated devices in modern vehicles (in terms of security, and security oriented design/implementation) I question if such a device would be properly implemented.

I get the sneaky suspicion that the automaker would be ... "tempted" ... by dealerships and other retailers in the market to integrate lojack functionalty into the security device, thus making it itself into the target of exploits. (Otherwise, the purposeful activation of the intrusion failsafe would render actual lojacks incapable of stopping cars, by disabling the communication bus. This means removing the fuse would essentially disable such countermeasures.) This would then make "remove the dongle" no longer an option.

When presented with a choice between "properly implemented security" and "Pressure from their customers" (Auto manufacturers RARELY, if ever, sell directly to the public. THEIR customers are the dealerships.) , I expect automakers will choose to placate their customers every single time.

Re:Time for the Ransomware

[wierd_w]

That's unfortunate... I can see why it would be desirable by the manufacturer and dealer, (as it would enable quite a few shady practices by both), but I question how stable EEPROM is compared to PROM in the hazardous environment under the hood or dash. (I know some modern systems are installed under the center console between the front seats, and some are installed under the passenger or driver seat, but this is still a problematical location in terms of operating environment. Still has large fluctuations in ambient temperature and issues with moisture and corrosion.)

I have seen ODBII dongles made specifically for hotrodding that contain new fuel mix tables and timing data for the ignition control system, but havent really seen kits to completely re-flash the ICS's computer.

Guess you learn something new every day.

Re:Is it really a surprise?

[rudy_wayne]

That most people don't give a damn about security "because it is hard"?

Actually, security is not hard. But, security done properly requires you to commit substantial resources -- people, time, money. And that cuts into profits, so most most companies are not interested.

Re:Nerds gonna have perfect driving habits

[PopeRatzo]

Progressive in press release say 'we hypothesize it's because nerds don't party or stay out late'

Nonsense, I've been to board game parties where 6 of us went through almost a whole quart of 3.2 beer. We rocked the house until almost 10:30pm. I mean, it was a work night after all and I had to get home to watch the DOTA2 quarterfinals on Twitch.tv.

Re:onStar?

[DigitAl56K]

That's a very valid point, but let's not pretend that you couldn't have the benefits of OnStar without most of the nasty privacy issues. A limit on data retention, clear indication when the device is listening in, and not selling subscriber data to the government would resolve a lot of the criticism.

Privacy vs Security

[MrKaos]

Whilst it's a little twist on Franklin's words it is appropriate. People who give up their vehicle data privacy for lower cost insurance premiums in time will for premiums up for people who choose not to use one of these dongles.

I'm glad the insurance companies are so lax with those peoples security as to make them a target for crackers. It shows they are subject to the same type of contempt the insurance companies demonstrated in the first place. People too insular to be concerned deserve to be subject to every exploit there is.

Direct connect

[jklovanc]

From the article.

By hooking up his laptop directly to the device he says he would have been able to unlock doors, start the car and gather engine information, but he chose not to “weaponise” his exploits

SO only direct connect has been proven.

The researcher noted that for a remote attack to take place, the concomitant u-blox modem, which handles the connection between Progressive’s servers and the dongle, would have to be compromised too. Such systems have been exploited in the past, as noted in a paper here from Ralf-Philipp Weinmann, from the University of Luxembourg.

Remote access has only been shown by similar systems.

Call me when you can actually show a remote exploit through the dongle.