Sophos Cloud Optix
US researcher Corey Thuen decided to take a closer look at an add-on ICS device plugged into his car.
ICS is short for Industrial Control System.
That’s a jargonistic cousin to SCADA (Supervisory Control and Data Acquisition) and IoT (Internet of Things).
The device Thuen thought was worthy of attention is a USB-drive-sized dongle that plugs into your car’s OBD2 port.
More jargon: OBD2, more properly written “Roman style” as OBD-II, stands for On Board Diagnostics, Version 2.
It’s a mandatory, easily-accessible, standardised data port on modern cars.
Apparently, it’s aimed at least in part at limiting what you might call “diagnostic monopoly.”
That’s where car companies inhibit an open market in service, tuning and repair by keeping secrets about your car and your driving that you can’t access yourself.
We’ve already written about OBD in the context of car thefts, when police and journalists in the UK blamed a spate of car thefts on a hacking kit that allowed you to reprogram the ignition key via the OBD2 port.
(Sidenote: you had to break into the car as part of this “hack”, for example by stealing the very key you wanted to bypass.)
Now, in the US, various insurance companies are flirting with dongles that use the OBD2 port to monitor and collect some of your driving habits.
Thuen’s car, for example, had the Snapshot dongle from the Progressive Casualty Insurance Company:
The idea is that the more the company likes how you drive, the lower your premiums.
Ironically, the information used to rate your driving is pretty basic: time of day, distance travelled, and how often you do what the company calls a “hard brake.”
They don’t define exactly what that means, but the assumption seems to be that if you “hard brake” a lot, then you are either prone to recklessness or bad at anticipation.
The device beeps whenever it clocks up a hard brake, so you can learn to drive without triggering the alerts and thereby improve your rating.
→ We realise that it is possible to learn to avoid braking simply by refusing to slow down, e.g. by overtaking dangerously, forcing your way through risky gaps, driving in the emergency lane, or running red lights. But no-one would do that.
The Snapshot apparently includes a mobile network modem, which it uses to call home to upload data as you drive around.
Oh, and “some devices,” says Progressive, “also collect location data: we collect it only as part of our ongoing efforts to improve Snapshot — we don’t use it to calculate your [premiums].”
So, Snapshot doesn’t penalise you for getting the hammer down on twisty backroads instead of using the motorway, or for visiting high-crime areas.
But, if it can, it nevertheless collects, transmits and stores the places you’ve been.
In short, you’d certainly hope that the Snapshot hardware designers and programmers took data security seriously during development.
Otherwise, the very dongle that was supposed to help you learn to be a safer driver might leave you more exposed from a privacy and online security perspective.
In short, even if you conducted yourself impeccably behind the wheel, merely being out driving could harm the rest of your digital life.
And so Corey Thuen set out to answer the question, “Just how safe is Snapshot from a computer security perspective?”
According to Forbes, Thuen concluded that:
The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies.
That’s a lot of “No.”
Indeed, it certainly sounds as though a crook who had access to your car for a while could Trojanise your Snapshot to turn it into a comprehensive surveillance and tracking device, and neither you nor Progressive would be any wiser.
Nevertheless, if you cut down on those hard brakes, and didn’t drive between midnight at 4am, you’d still save money on your premiums!
The bottom line
This isn’t an earth-shattering vulnerability.
It’s not an unmitigated privacy disaster.
But it is a wake-up call for the ICS/SCADA/IoT world, which seems to be going down exactly the same path as many mobile apps: putting security in second place, and hoping no-one will notice.
In fact, according to Thuen, Snapshot doesn’t put security in second place, nor third, nor, indeed, anywhere:
[B]asically, [the product] uses no security technologies whatsoever.
But you could save several dollars a week, if only you learn not to slow down so much.
You could probably hack the device to not report your hard-brakes, so you would get the cheaper premiums without actually having to drive better.
“→ We realise that it is possible to learn to avoid braking simply by refusing to slow down, e.g. by overtaking dangerously, forcing your way through risky gaps, driving in the emergency lane, or running red lights. But no-one would do that. ”
I assume whoever wrote this caveat has never driven in Boston, MA – LOL! That description is pretty much standard driving protocols for Boston.
Goes for Winnipeg, MB, Canada, as well! That’s just driving as usual here.
Big Deal, the world finds out what car you drive. It knocked $200 of my bill.
and where.. and how fast, and… and… and who knows what else.. we all can see what you drive..
Yeah … beginning with yourself. The Progressive web site has this data available for you. As well as a graph of your speed in every “trip”, that is, the times the engine is on.
A couple of companies here in Canada have offered these for their customers (me included). I have always refused the offer. Security of these devices has always been a concern to me.
Although the devices do monitor some driving habits measured by OBD, the primary reason is to measure your mileage. Simply put more miles driven leads to more higher premiums.
Every year I must put my mileage on my license renewal. Is this not enough?
And how long before suspicious partners start plugging a similar dongle into a car to track where it goes? Actually for some cars, it doesn’t even need GPS as GPS is built into the car’s basic systems – for mine, the satnav is a large matchbox plugged into a slot in the glove compartment.
Maybe I have just spotted a business opportunity?
I have actually met people where UK immigration has demanded their Satnav to interrogate it to see if the tracks stored in it matched where they said they had been.
Makes me wonder if the slow processing at UK immigration in Calais is to give them long enough to check to see what they can access of phones and satnav systems via Bluetooth and wifi and cellular to mine as much data as they can. It is probably not that hard. They can at least correlate devices to people – you are handing your passport over to them for a positive ID.
You have pretty much the same possibility at toll booths. I wonder if the number plate recognition cameras on the main roads into towns e.g. Bridgwater also try to recognise the phones passing them, as that then allows them to work out who is in the car. More usefully, it allows disposable phones to be tied to probable owners.
“And how long before suspicious partners start plugging a similar dongle into a car to track where it goes?”
Suspicious partners can already hide a GPS tracking device, or smartphone with a tracking program switched on in the car. Or they can install or switch on a tracking system on the phone their partner already has and hope they don’t notice.
actually insurance companies kindly ask you to provide them as many telephone numbers as possible. To call you back if everything is fine? or to have the track of yu in case of any events? how do they have access regularly other than in a court? I guess they can easily….
I also live in Canada and I have taken on the offer from the insurance company. This year, I am saving 12% off my insurance premium. The dongle does not make any sound when hard braking. The insurance company provides a website where I can see the location of hard acceleration and hard braking. When signing up for the dongle, you sign a contract that indicate that the insurance company cannot use the data to set or raise your premium or in matters relating to accidents or claims. Based on that, currently I see nothing but a win for me.
“This isn’t an earth-shattering vulnerability. It’s not an unmitigated privacy disaster.”
One might argue that it’s not even worth the attention of this article. Seriously? Someone’s going to break into my car to get to this dongle, or install one? Right.
Or compromise the devices in the supply chain (i.e Trojanise them in the factory). Or alter the master firmware image in the software development house and pwn them at install time. Or pay someone inside the mobile phone company to copy all the traffic logs for these devices, which will be unencrypted. Depends how useful they might find the data.
I mean, who’s going to break into your house to make a copy of your credit card? Therefore large scale credit card fraud is never going to happen…
Point is, if software is going to transmit a real time data stream detailing your location and how it changes, why wouldn’t the software authors encrypt that data? And why wouldn’t you expect them to?
If they don’t track where you go whats to stop you not plugging it into your car at all, just apply power to it for an hour a day going nowhere and end up with the lowest premium possible?
Also why doesn’t Flo have a nose?
The software in the device itself can make a pretty good guess whether you are actually driving or not from the diagnostic data it collects, regardless of how much of that data it sends back. It could then “cry foul” if it realised you were trying to scam the system.
It gets a regular feed of time and distance, and thus knows your velocity, acceleration, etc. I imagine it also knows when the engine is running, and at what RPM.
Should be pretty easy to tell whether you’re sitting in a parking lot with the engine ticking over, or hammering round that 270-degree corkscrew bend that leads from the Cahill Expressway to the Sydney Harbour Bridge.
As the dongle tracks your travel distance, it subtracts the new mileage from the last one. They know if you have travelled with the dongle unplugged.
It can also track whether your location has changed without their having a record of it. May be as simple as reading your odometer and trip odometer (for greater precision) or by reporting the cell towers and distance from them.
It’s not that easy to fool the gadget, specially with all the data they have access to, both from the device and from the mobile data network (=cell phone network) it links to.
FYI, “hard brake” is defined as a deceleration of at least 7 miles per hour each second. Which means your speed goes down from, say 50 mph to 43 mph or lower in a second.
This count is pretty bad if you have the habit of pulsing the brakes (brake hard and release continuously, which keeps the brakes cooler, and helps avoid locking up the wheels, just like antilock braking does for you) or if you happen to step on the brake to finish stopping your car. With the pulsed braking, you may or may not get a beep, but it will count each one, so you can rake 10+ hard brakes on a relatively uneventful drive or “trip” (as they call it)
It is an indicator of the slap-dash way IoT is going to work unless they are slapped down.
Another query or 2.
I live in a quiet neighbourhood. Low traffic, etc. At night, I every so often, take a spin or 2 around the block, during which time I check lights, turn signals, 4 ways, acceleration, braking, sound, etc. In the process on a somewhat vacant straight-away, i may do 2 or even hard brakes. This is to test my brakes, tires etc, and to clean the brakes. So their system logs time and place… and hard braking. But this was done safely and on purpose. How does one tell them not to include these tests?
Likewise, my mechanic, who is paranoid, does a full test drive each 3 months… How would one keep those numbers out of their data base?
Drifting! You lose speed while keeping the revs up 🙂
Only kidding. I suppose that over a long time, one or two emergency stops every now and then won’t make a huge difference to your stats. You’d have to assume they’re looking for people who are inevitably in a hurry, putting the hammer down when it’s clear and leaving the deceleration until the last minute every time. You’d hope that the intervals between the “hard brakes” would be involved in the algorithm.
So BRAKE-short gap-BRAKEwould be “one of those things” while BRAKE-driving a bit-BRAKE-driving-BRAKE-driving-driving-BRAKE would be “one of those habits.”
ANYONE DUMB ENOUGH to let insurance companies have this kind of access to their lives is too stupid to be allowed to be in charge of a machine that could kill them or someone else. The fact that a naive and stupid conversation like this is taking place on a technology discussion site tells is deplorable. The discussion should be how soon before insurance companies and the government start monitoring your workouts, your sex, your relationships…And why any numbskull would be foolish enough to allow this to start…wait until it becomes compulsory!!
Actually, if you read the comments, it looks as though the “naive and stupid conversation” you deplore has more people warning against this sort of thing than blindly accepting it.
PS. Maybe take it a bit easier on the public insults next time, eh? After all…if this is a “stupid” conversation, then you’re now part of it. If you see what I mean.