Slashdot Mirror

← Back to Stories (view on slashdot.org)

Insurance Company Dongles Don't Offer Much Assurance Against Hacking

Posted by timothy on from the best-hanging-from-rearview-mirror dept.

According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle: It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. ... He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies basically it uses no security technologies whatsoever.”

8 of 199 comments (clear)

  1. Spoofing! by Anonymous Coward · · Score: 5, Interesting

    I've long thought there could be a really lucrative market for OBD2 spoofers. Instead of plugging the dongle directly into your car, plug it into a middle-man that feeds it the "happiest" possible data to make it think your driving is perfect. There is no authentication in the OBD2 protocol so there is no way for the dongle to tell the difference between a real OBD2 data feed and a spoofed one.

    1. Re:Spoofing! by Anonymous Coward · · Score: 4, Insightful

      I've long thought there could be a really lucrative market for OBD2 spoofers.

      Okay, so there's a market for insurance fraud hardware devices? Are you planning to sell these on this week's reboot of the Silk Road?

      BTW, there's better money to be made if you're willing to commit fraud or other felonies. I say skip the penny ante bullshit and go for credit card fraud. Most of those people get away with it because the issuing banks don't give a fuck due to sticking the merchants with the costs.

      HTH.

      Protip: not everything having to do with computers or electronic hardware needs a new "...on a computer" law in order to render it illegal. You may have confused this with the issuance of patents, where the addition of a computer algorithm is always considered a groundshaking breakthrough and worthy of allowing someone to rent seek over real innovators. No worries, this is a common misunderstanding. Have a nice day!

    2. Re:Spoofing! by danlip · · Score: 4, Insightful

      You think it's possible to implement a "new economic structure" that doesn't favor those with wealth and power more that the current one? The only people interested in a level playing field are those not at the top.

    3. Re:Spoofing! by TheRaven64 · · Score: 4, Interesting
      Just to clarify, your question is:

      A device can run arbitrary malicious code and is connected to a physical link to your car, to a system that has physical links to your engine management system, and was not written with security in mind, what's the worst that can happen?

      --
      I am TheRaven on Soylent News
    4. Re:Spoofing! by AmiMoJo · · Score: 4, Informative

      Not all manufacturers build their cars that. Some have an OBD-II bridge between the port and the main bus that makes the port read only except for a few very specific commands like resetting error codes. That's why if you look at those videos of people hacking a Prius on YouTube they have dismantled the entire dashboard. They had to get to the segmented parts of the bus, the diagnostic port was not enough to screw with anything interesting.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Hello insurance fraud by Dan1701 · · Score: 5, Interesting

    The most obvious reason for an attack here is to commit insurance fraud. At present, an insurance company is forced to base an insurance premium on all the meta-data they can possibly gather about the prospective client, excepting their sex if they are in the EU (although this may well lead to a quite astonishing number of men called "Sue", if insurance companies attempt to bypass this and link first names to insurance risk).

    A data-gathering dongle would seem to offer a much better deal, allowing the company to charge more if the user indulges in risky behaviour of some description.

    A possible reason for hacking into the module would therefore be to falsify the data sent back to the company; a boy racer who regularly breaks speed limits, corners absurdly fast and brakes late if at all would gain substantially from a fraudulent data recording which portrayed him as someone with the driving habits of an octogenarian grandmother; such a person might also think that the gamble of sending such phoney data was well worth the savings when set against the fairly low risk of getting caught.

    It therefore worries me that companies are this lazy when building such equipment. It really doesn't take all that much to keep out the majority of crackers right from the start, and as the skilled ones are in the minority, taking a little care initially would pay dividends down the line.

  3. Re:Time for the Ransomware by Minupla · · Score: 4, Insightful

    Just as a point of interest, there was a talk at Defcon last year where someone built a IPS (intrusion prevention system) for the bus of the car. It turns out that the communication matrix for a car is a very static system. The parts of a car that communicate with each other do so often (e.g. Engine controller and injection system), and predictably. Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do. So it's possible to build a device that models the system by listening on the bus and if it suddenly sees new traffic patterns shorts out the bus, leaving you with a less smart, but still on 4 wheels and not careening into oncoming traffic, car.

    Seems like something the OEMs should be looking into.

    Min

    --
    On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  4. Re:onStar? by DigitAl56K · · Score: 5, Insightful

    That's a very valid point, but let's not pretend that you couldn't have the benefits of OnStar without most of the nasty privacy issues. A limit on data retention, clear indication when the device is listening in, and not selling subscriber data to the government would resolve a lot of the criticism.