Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Hardware Hacking Input Devices Transportation Hardware Technology

Insurance Company Dongles Don't Offer Much Assurance Against Hacking 199

According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle: It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. ... He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies basically it uses no security technologies whatsoever.”
This discussion has been archived. No new comments can be posted.

Insurance Company Dongles Don't Offer Much Assurance Against Hacking

Comments Filter:
  • Spoofing! (Score:5, Interesting)

    by Anonymous Coward on Sunday January 18, 2015 @07:03PM (#48847079)

    I've long thought there could be a really lucrative market for OBD2 spoofers. Instead of plugging the dongle directly into your car, plug it into a middle-man that feeds it the "happiest" possible data to make it think your driving is perfect. There is no authentication in the OBD2 protocol so there is no way for the dongle to tell the difference between a real OBD2 data feed and a spoofed one.

    • Re:Spoofing! (Score:4, Insightful)

      by Anonymous Coward on Sunday January 18, 2015 @07:13PM (#48847123)

      I've long thought there could be a really lucrative market for OBD2 spoofers.

      Okay, so there's a market for insurance fraud hardware devices? Are you planning to sell these on this week's reboot of the Silk Road?

      BTW, there's better money to be made if you're willing to commit fraud or other felonies. I say skip the penny ante bullshit and go for credit card fraud. Most of those people get away with it because the issuing banks don't give a fuck due to sticking the merchants with the costs.

      HTH.

      Protip: not everything having to do with computers or electronic hardware needs a new "...on a computer" law in order to render it illegal. You may have confused this with the issuance of patents, where the addition of a computer algorithm is always considered a groundshaking breakthrough and worthy of allowing someone to rent seek over real innovators. No worries, this is a common misunderstanding. Have a nice day!

      • Re: (Score:2, Flamebait)

        by kilodelta ( 843627 )
        The whole thing about fraud against a corporate entity makes me a little bit angry. Who the fuck do those corporations think they are anyhow?
        • by MrKaos ( 858439 )

          The whole thing about fraud against a corporate entity makes me a little bit angry. Who the fuck do those corporations think they are anyhow?

          They're the entity you need to send the money you worked for to, because it's theirs. Now shut up and send more money.

      • TTWTF is that this is the 20th century thinking that makes such an act illegal (or even considered to be immoral). Insurance companies should be free to price their policies in any manor of their choosing, and we the people should be free to share and spread information to subvert their dirty tricks. Capitalism (as it is practiced) is not suited for the 21st century. It's time for a new economic structure, condusive to an open and free market place of ideas. 20th century thinking needs to die.
        • Re:Spoofing! (Score:5, Insightful)

          by danlip ( 737336 ) on Sunday January 18, 2015 @09:48PM (#48847735)

          You think it's possible to implement a "new economic structure" that doesn't favor those with wealth and power more that the current one? The only people interested in a level playing field are those not at the top.

          • Possible, yes. Easy, absolutely not. When has initiating change on a broad scale ever been easy? It is a chore not for the feint of heart, but one that is necessary from time to time.
          • I would have much rather your +4 insightful mod gone to the people who actually had an interesting/insightful argument against my own. Meh, just goes to show you why you should always browse at 0. That's where all the good stuff is at ;)
        • by AmiMoJo ( 196126 ) *

          Most people don't want to become insurance experts or hope that their circle of friends is clued up enough to protect them. They would rather that their government, the people who work for them, regulate the insurers to ensure fairness. It's cheaper and easier for everyone.

          • by mysidia ( 191772 )

            Most people don't want to become insurance experts or hope that their circle of friends is clued up enough to protect them.

            If not for government regulation, both explicitly in complicated arcane rules, and implicitly in the form of allowing ludicrous litigation, liability, and protecting unions, then the cost of both replacing the car and providing healthcare would be so low, that a year's worth of auto insurance would cost $100.

            Since it would cost about $2500 to buy a brand new SUV, and a week's st

      • by sjames ( 1099 )

        OTOH, in the VCR days there was a thriving market in video stabilizers "for the clearest possible picture".

        Naturally, the OBDII simulator would be for people who want to develop their own interface devices.

      • by gl4ss ( 559668 )

        it's not the device that makes the fraud.

        it's the individual that would put it between the insurance companys dongle and the car that would be making the fraud, but the device itself wouldn't be illegal as such.. it's not doing copyright circumvention or any such thing, so no need to go on silk road to sell it.

        certainly it would be 1000 times more legal than ssl interceptors and such which seem pretty popular for corporate/airline networks...

        this thing is just that someone realized there was a market for ha

        • It would actually be a perfect device for simulating the EPA test cycle. It would be a perfect way to sell it legally. The EPA cycle is "the" test for cars in the US so there are plenty of professionals that would love a tool. Some simulation software starts at $5k/license. (CANalyzer). No one says you have to sell your device with 'encryption' so that the EPA cycle would be replaced with whatever cycle you wanted.

          Or you could just do it with a cheap uC board these days. These guys are building a engine EF [rusefi.com]

    • by msauve ( 701917 )
      I'd think there'd also be money to be made with something similar which produced good readiness values whenever polled by the inspection station (in locations which require that).
      • by mjwx ( 966435 )

        I'd think there'd also be money to be made with something similar which produced good readiness values whenever polled by the inspection station (in locations which require that).

        This is the reason MOT tests still require the mechanic to look at the car instead of trusting the computer readouts.

    • Some are GPS enabled now which allows cross-correlation with the speedometer and internal accelerometer readings to detect fraud. Granted, you could cage the dongle and let them think it couldn't get a GPS fix from its position under the dash. A spoofer would also need it's own accelerometer to generate believable data under acceleration and braking.

      • The GPS module is (usually) just sending NMEA serial data. Splice the line and you don't need a faraday cage and complicated spoofer.

      • by AmiMoJo ( 196126 ) *

        Those boxes are a scam anyway. They don't understand the type of vehicle they are connected to, and they don't understand the road surface being driven on. A lot of young people are getting them fitted to reduce their premiums, and then finding that because they live in a hilly area and have to push the accelerator to the floor just to maintain 30 MPH in their little 1.0 litre super efficient cars the dongle decides they are accelerating too hard. Poorly maintained roads make the accelerometer go nuts, and

        • by bws111 ( 1216812 )

          Huh? They use their own accelerometers to measure acceleration, so your 'hills' scenario makes no sense.

          Do you know what the insurance companies care about? Risk. All they want to know is how likely you are to be in an accident. Therefore, contrary to your suggestion, they ARE taking into account things like the road surface. If you are 'weaving around pot-holes' and driving on poorly maintained roads you ARE more likely to be in an accident.

    • I've had the exact same thought. Only the way I thought of it - find the safest driver you know and just plug the device into their car. A low tech solution for a high tech problem.
    • by Lumpy ( 12016 )

      It is trivial. I can build one with an arduino in 10 minutes. Build one that sits in between so that all the good data is there but it limits the data to acceptable levels so it all looks legit.

    • by sjames ( 1099 )

      You better watch that talk about spoofing people's dongles. We don't want another scandal.

  • by Dan1701 ( 1563427 ) on Sunday January 18, 2015 @07:06PM (#48847099)

    The most obvious reason for an attack here is to commit insurance fraud. At present, an insurance company is forced to base an insurance premium on all the meta-data they can possibly gather about the prospective client, excepting their sex if they are in the EU (although this may well lead to a quite astonishing number of men called "Sue", if insurance companies attempt to bypass this and link first names to insurance risk).

    A data-gathering dongle would seem to offer a much better deal, allowing the company to charge more if the user indulges in risky behaviour of some description.

    A possible reason for hacking into the module would therefore be to falsify the data sent back to the company; a boy racer who regularly breaks speed limits, corners absurdly fast and brakes late if at all would gain substantially from a fraudulent data recording which portrayed him as someone with the driving habits of an octogenarian grandmother; such a person might also think that the gamble of sending such phoney data was well worth the savings when set against the fairly low risk of getting caught.

    It therefore worries me that companies are this lazy when building such equipment. It really doesn't take all that much to keep out the majority of crackers right from the start, and as the skilled ones are in the minority, taking a little care initially would pay dividends down the line.

    • by msauve ( 701917 )
      Yes, this.

      Where's the proof of concept firmware which generates a fake, slightly randomized weekday round trips to work at speeds below the limit, and totally ignores real world driving?

      It seems to be mainly the interest of the insurance company to add security, not the user's.
      • The problem with such a program is that the insurance company has the data from other dongles on the same roads. Presuming there are timestamps on the accelerations, they can model traffic flows. If everyone is stopped at a stoplight in the reconstructed model but your fake data shows you driving through the light at speed limit minus one, their analysis program will know something is wrong with your data. Investigation ensues.
        • by msauve ( 701917 )
          You think a company who doesn't bother with even simple security is going to do that?
    • There's a problem with that scheme. The fake dongle says you got from point A to point B in much more time than it took, right? So what happens if, at point B, you're in an accident? The fake dongle won't sent the right data for that, at the right time, and probably witnesses and the other driver will also give the right time (esp. if the other driver has a real dongle).

      Also, a car tends to sustain much more damage from a 60 mph impact than a 25 mph impact.

      • by Mal-2 ( 675116 )

        There's a problem with that scheme. The fake dongle says you got from point A to point B in much more time than it took, right? So what happens if, at point B, you're in an accident? The fake dongle won't sent the right data for that, at the right time, and probably witnesses and the other driver will also give the right time (esp. if the other driver has a real dongle).

        Also, a car tends to sustain much more damage from a 60 mph impact than a 25 mph impact.

        You don't adjust the arrival time at point B, you adjust the departure time from point A.

        • And the excess damage?
          • "And the excess damage?"

            What excess damage? You (the insurance company) have the data, and here is my car. There's no "excess damage", just "damage".

            Do you think (the insurance company) that my accident should render less damage? That's not my problem, I'm neither a materials engineer, nor I designed my car.

            Do you think I commited fraud? Why do you think so? Maybe because you know your devices are easily hackable? Maybe I should sue you (the insurance company) for puting me at risk for your lack of due

            • "And the excess damage?"

              What excess damage? You (the insurance company) have the data, and here is my car. There's no "excess damage", just "damage".

              Do you think (the insurance company) that my accident should render less damage? That's not my problem, I'm neither a materials engineer, nor I designed my car.

              Do you think I commited fraud? Why do you think so? Maybe because you know your devices are easily hackable? Maybe I should sue you (the insurance company) for puting me at risk for your lack of due diligence.

              Yes the insurer absolutely will think you committed fraud. Then their very first step will be to ask the police for an accident report. The police will then report that the skid marks indicate that the car must have been travelling at at least 50mph, not the 20mph indicated by the dongle.

              Believe me, when that is put in front of a judge, your "putting you at risk" charge is going to be thrown out, and their fraud charge is going to hit you square between the eyes.

              • "the insurer absolutely will think you committed fraud"

                Absolutly yes, of course. Heck! they probably default to think there's a fraud even if lacking any evidence.

                A very different thing is for them to *demonstrate* there's a fraud or, at least, being a civil case, that it heavily smells like fraud.

                "The police will then report that the skid marks indicate that the car must have been travelling at at least 50mph, not the 20mph indicated by the dongle."

                And the insured will claim that his coverage is bound to

            • It's a gamble between two opposing forces of insurance:

              1) On one hand, insurance companies are bureaucracies and handling claims is a bureaucratic process with a certain amount of inertia, where obvious fraud needs to be caught but time/people/resources don't exist to fine-grain protect against all possible marginal fraud, otherwise the system would grind to a halt. A tracking device with a minor deviation from observed damaged may just get written off as the strangeness of physicals or the brittleness of

      • by AK Marc ( 707885 )
        You don't expect to get caught. Also, you time your "fake" trips to be well off from your regular routine. The dongle will be sending back "parked in the garage" at the time of the crash. Then you just plug it in and claim it must have malfunctioned. Just because you are too dumb to fool someone else, doesn't mean we all are.
      • by sjames ( 1099 )

        There would be limits, but it could do things like changing wide open throttle to accelerate to speed in 2 seconds into moderate throttle to come to speed in 4 seconds.

        As long as you don't diverge too far from reality, the rest can be explained well enough by inaccuracy in the hardware. In some places GPS gets really inaccurate normally.

        I'm not saying it's a good idea, just that it's close enough that there will be people trying it.

    • by DarkOx ( 621550 )

      See the trouble with that is unless he can be sure, that in the event of an accident he is able to remove the device and conceal any evidence of tampering, at the scene he will be awful unhappy when they deny his claim and prosecute him for fraud.

      All the fancy computer security aside, they could probably just use one of those stickers that leaves 'void' behind when you pull it off applied by the agent across the device where it meets the ODBII/III connector.

    • Or we can just ban these idiotic things, whats next health insurance companies stapling pedometer's onto people get a lower rate?

      Insurance is supposed to be about aggregating risk, the problem is the lower end of the risk pool is paying more then the out of pocket they could expect and leave the pool if they can. Auto insurance is harder to leave you have to drive (if you want to live outside an urban envirnment) and it's not optional.

      • Re: (Score:3, Interesting)

        whats next health insurance companies stapling pedometer's onto people get a lower rate?

        You don't think those bluetooth 'fitness monitors' that are popping up in the market won't eventually be used to 'provide insurance customers with more preferable rates' if they wear one connected to an Insurance Companies database?

        Citizen! We are all in this together. We all pay for each others' healthcare. It in in all of our interests for EVERY citizen to live an optimally healthy lifestyle.

      • I'm not joking: they gave us pedometers at work to get a lower rate on our health insurance. It is optional, of course. You can look it up, they're using Virgin Pulse, I imagine there are many others. You get even more discount if you make up meal plans and on and on.
    • by silfen ( 3720385 )

      It therefore worries me that companies are this lazy when building such equipment

      Among all the areas in daily life where companies can hurt me through weak security, this is way down on the list.

      My first concern? Probably that US banks and credit card companies should start using smart chips, two factor authentication, and reliable notification, all of which are easy to do and widely used elsewhere.

  • by RichMan ( 8097 ) on Sunday January 18, 2015 @07:22PM (#48847153)

    If you want to drive your car again, send $500 to .... until then the ignition is locked.

    • Is there any room to name one's own counteroffer with the price gun?
    • except that the firmware in the ignition control system of the vehicle is written on actual PROM chips, not EEPROM chips, because they have to operate in a hazardous environment. (Temperature extremes, moisture intrusion, dirt, corrosion, etc.) Voltage spikes from slowly decaying wiring, or other sources of irregularity can damage an EEPROM's contents, where a PROM will just burp a little, then be fine after the irregularity. (assuming it isnt a very large spike that can kill silicon anyway)

      This means that

      • by Minupla ( 62455 ) <minupla@gmail . c om> on Sunday January 18, 2015 @07:54PM (#48847285) Homepage Journal

        Just as a point of interest, there was a talk at Defcon last year where someone built a IPS (intrusion prevention system) for the bus of the car. It turns out that the communication matrix for a car is a very static system. The parts of a car that communicate with each other do so often (e.g. Engine controller and injection system), and predictably. Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do. So it's possible to build a device that models the system by listening on the bus and if it suddenly sees new traffic patterns shorts out the bus, leaving you with a less smart, but still on 4 wheels and not careening into oncoming traffic, car.

        Seems like something the OEMs should be looking into.

        Min

        • by wierd_w ( 1375923 ) on Sunday January 18, 2015 @08:32PM (#48847413)

          No need to do such extreme damage, when the same effect can be achieved with a simple fuse on the positive voltage line of the port. Suspicious activity? Burn the fuse-- BAM-- port is dead, but easily fixed.

          However, this would require a "smart" component inside the dash, between the actual ignition control system/ACS system, and the ODBII port interface. Such a device would need to have a reference pattern to check current communications against, and would need some level of processing capacity to compare realtime engine diagnostic data and bus activity against the reference. (Does not need to be fancy here, but this does imply the ability to program a new reference pattern later, especially if the system is fully adaptive to changing engine conditions over time.)

          This then places some significant implementation considerations on the vehicle manufacturer-- this device has to somehow be able to be field-reset at a dealership if it gets confused after having the engine serviced, and also needs to have nothing but read-only access to the engine's control system. The only thing it should have "write" access to should be the fuse. (And maybe an indicator lamp)

          However, given the less than spectacular implementations of integrated devices in modern vehicles (in terms of security, and security oriented design/implementation) I question if such a device would be properly implemented.

          I get the sneaky suspicion that the automaker would be ... "tempted" ... by dealerships and other retailers in the market to integrate lojack functionalty into the security device, thus making it itself into the target of exploits. (Otherwise, the purposeful activation of the intrusion failsafe would render actual lojacks incapable of stopping cars, by disabling the communication bus. This means removing the fuse would essentially disable such countermeasures.) This would then make "remove the dongle" no longer an option.

          When presented with a choice between "properly implemented security" and "Pressure from their customers" (Auto manufacturers RARELY, if ever, sell directly to the public. THEIR customers are the dealerships.) , I expect automakers will choose to placate their customers every single time.

          • by Minupla ( 62455 )

            No need to do such extreme damage, when the same effect can be achieved with a simple fuse on the positive voltage line of the port. Suspicious activity? Burn the fuse-- BAM-- port is dead, but easily fixed.

            Doesn't protect against other attack avenues that have either been hypothoized or demo'd though. The entertainment unit always seems popular. Trojaned CD in the player, for example or exploit against the bluetooth system. Hey I wonder what happens to that cute bit of software that displays what song t

        • by mjwx ( 966435 )

          Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do.

          Most systems will have some kind of physical security, the entertainment system wont be able to communicate with the AWD system. Engineers are pretty bright and know that if you could issue a command from the bluetooth on the stereo to send 80% of the power to the back right wheel at highway speeds it would be a very bad thing.

          However the ransomware doesn't need t

      • by Lumpy ( 12016 )

        I can rewrite the OS in my ECM and BCM at any time they are EEPROMS and FLASH not PROMS.

        Maybe back in 1988 they were PROMS, today's cars are field programmable, Hell BMW's have been field programmable since the 90's.

          I've been hacking on cars for hotrodding for 20 years and ALL OF THEM have been easily modified for decades. Up to 1998 you had solidified chips but the Advent of ODB-II had field programmability very VERY common.

        • That's unfortunate... I can see why it would be desirable by the manufacturer and dealer, (as it would enable quite a few shady practices by both), but I question how stable EEPROM is compared to PROM in the hazardous environment under the hood or dash. (I know some modern systems are installed under the center console between the front seats, and some are installed under the passenger or driver seat, but this is still a problematical location in terms of operating environment. Still has large fluctuations

          • by tibit ( 1762298 )

            how stable EEPROM is compared to PROM

            Electrically-programmable fused PROMs suffer from bit rot and simply are not made anymore. I hate the damn things with a passion, they are one of the causes of good legacy test equipment turning getting bricked. The legacy OTP EPROMs require high voltage for programming and the only concern with them is slow charge decay. These days, it's FLASH all the way.

            Alas, you're making up imaginary problems. Every high-rel firmware-based system will not only verify the integrity of the firmware upon boot-up, but con

            • by Lumpy ( 12016 )

              It's not as filtered as you think. A single shorted sensor can and does cause other problems in car ECM's. BMW E30 ECM if the oil level sensor shorts out will cause other sensors to read as failures as well as power brown outs tot he processor causing major issues.

              Car electronics are only built a step up from consumer electronics nowdays. It's quite a joke as to how crappy the engineering in all the electronics in a car are.

          • by Lumpy ( 12016 )

            Older cars the Spark and fuel tables WERE a part of the firmware, in fact every time I flashed a new EEPROM for the 7730 ECM I rewrote the whole thing. I even went as far as used a larger EEPROM and tied the highest Address line to a switch so I could write multiple copies with different tables in the single EEPROM and flip a switch on the fly to go from street driving for smooth and decent gas mileage, to racing with aggressive spark tables and dumping in fuel like a banshee. the CPU in the 7730 did not

  • What do we know about the security of systems such as onStar?

  • by MrKaos ( 858439 ) on Sunday January 18, 2015 @11:34PM (#48848051) Journal
    Whilst it's a little twist on Franklin's words it is appropriate. People who give up their vehicle data privacy for lower cost insurance premiums in time will for premiums up for people who choose not to use one of these dongles.

    I'm glad the insurance companies are so lax with those peoples security as to make them a target for crackers. It shows they are subject to the same type of contempt the insurance companies demonstrated in the first place. People too insular to be concerned deserve to be subject to every exploit there is.

  • by jklovanc ( 1603149 ) on Monday January 19, 2015 @02:38AM (#48848395)

    From the article.

    By hooking up his laptop directly to the device he says he would have been able to unlock doors, start the car and gather engine information, but he chose not to “weaponise” his exploits

    SO only direct connect has been proven.

    The researcher noted that for a remote attack to take place, the concomitant u-blox modem, which handles the connection between Progressive’s servers and the dongle, would have to be compromised too. Such systems have been exploited in the past, as noted in a paper here from Ralf-Philipp Weinmann, from the University of Luxembourg.

    Remote access has only been shown by similar systems.

    Call me when you can actually show a remote exploit through the dongle.

    • by tibit ( 1762298 )

      The problem is that you have a system that's not inherently safe - it merely rides on the unproven safety of one single component. A resilient system would have many barriers that you have to break down in order to gain access. This one has just one. For all we know, it has already been broken.

  • I had a client who actually bought holy Mary anti-virus stickers to put on the outside of the computer.

  • There might be a market for a defice that can be placed between any such 'required' dongles and a vehicle's actual systems. Something that can pass certain data in only one direction (read-only vehicle parameters) and block requests (and spoof handshake signals) should dongle attempt to make an unwanted request of the vehicle's systems.

    I can also see a market for such a device where emissions tests are done by reading the data port. Just tell the port filter to always reply with an 'all is well' code.

  • If you're worried about it, solve the problem at the communications layer. Wrap the dongle in such a way that it can't transmit or receive data. "What you're not getting the data? Wow that's strange. I have it plugged in." Either that or find another insurance company that doesn't track you. The fact that you've allowed a device to track you in the first place means that you've exposed yourself to risks, some overt such as your lead footed behavior is know a known quantity and inadvertent in terms of a

"Your stupidity, Allen, is simply not up to par." -- Dave Mack (mack@inco.UUCP) "Yours is." -- Allen Gwinn (allen@sulaco.sigma.com), in alt.flame

Working...