“Cheaper car insurance” dongle could lead to a privacy wreck

US researcher Corey Thuen decided to take a closer look at an add-on ICS device plugged into his car.

ICS is short for Industrial Control System.

That’s a jargonistic cousin to SCADA (Supervisory Control and Data Acquisition) and IoT (Internet of Things).

The device Thuen thought was worthy of attention is a USB-drive-sized dongle that plugs into your car’s OBD2 port.

More jargon: OBD2, more properly written “Roman style” as OBD-II, stands for On Board Diagnostics, Version 2.

It’s a mandatory, easily-accessible, standardised data port on modern cars.

Apparently, it’s aimed at least in part at limiting what you might call “diagnostic monopoly.”

That’s where car companies inhibit an open market in service, tuning and repair by keeping secrets about your car and your driving that you can’t access yourself.

We’ve already written about OBD in the context of car thefts, when police and journalists in the UK blamed a spate of car thefts on a hacking kit that allowed you to reprogram the ignition key via the OBD2 port.

(Sidenote: you had to break into the car as part of this “hack”, for example by stealing the very key you wanted to bypass.)

Now, in the US, various insurance companies are flirting with dongles that use the OBD2 port to monitor and collect some of your driving habits.

Thuen’s car, for example, had the Snapshot dongle from the Progressive Casualty Insurance Company:

The idea is that the more the company likes how you drive, the lower your premiums.

Ironically, the information used to rate your driving is pretty basic: time of day, distance travelled, and how often you do what the company calls a “hard brake.”

They don’t define exactly what that means, but the assumption seems to be that if you “hard brake” a lot, then you are either prone to recklessness or bad at anticipation.

The device beeps whenever it clocks up a hard brake, so you can learn to drive without triggering the alerts and thereby improve your rating.

→ We realise that it is possible to learn to avoid braking simply by refusing to slow down, e.g. by overtaking dangerously, forcing your way through risky gaps, driving in the emergency lane, or running red lights. But no-one would do that.

The Snapshot apparently includes a mobile network modem, which it uses to call home to upload data as you drive around.

Oh, and “some devices,” says Progressive, “also collect location data: we collect it only as part of our ongoing efforts to improve Snapshot — we don’t use it to calculate your [premiums].”

So, Snapshot doesn’t penalise you for getting the hammer down on twisty backroads instead of using the motorway, or for visiting high-crime areas.

But, if it can, it nevertheless collects, transmits and stores the places you’ve been.

In short, you’d certainly hope that the Snapshot hardware designers and programmers took data security seriously during development.

Otherwise, the very dongle that was supposed to help you learn to be a safer driver might leave you more exposed from a privacy and online security perspective.

In short, even if you conducted yourself impeccably behind the wheel, merely being out driving could harm the rest of your digital life.

And so Corey Thuen set out to answer the question, “Just how safe is Snapshot from a computer security perspective?”

According to Forbes, Thuen concluded that:

The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies.

That’s a lot of “No.”

Indeed, it certainly sounds as though a crook who had access to your car for a while could Trojanise your Snapshot to turn it into a comprehensive surveillance and tracking device, and neither you nor Progressive would be any wiser.

Nevertheless, if you cut down on those hard brakes, and didn’t drive between midnight at 4am, you’d still save money on your premiums!

The bottom line

This isn’t an earth-shattering vulnerability.

It’s not an unmitigated privacy disaster.

But it is a wake-up call for the ICS/​SCADA/​IoT world, which seems to be going down exactly the same path as many mobile apps: putting security in second place, and hoping no-one will notice.

In fact, according to Thuen, Snapshot doesn’t put security in second place, nor third, nor, indeed, anywhere:

[B]asically, [the product] uses no security technologies whatsoever.

But you could save several dollars a week, if only you learn not to slow down so much.