Insurance Company Dongles Don't Offer Much Assurance Against Hacking

According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle: It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. ... He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies basically it uses no security technologies whatsoever.”

Spoofing!

[Anonymous Coward]

I've long thought there could be a really lucrative market for OBD2 spoofers. Instead of plugging the dongle directly into your car, plug it into a middle-man that feeds it the "happiest" possible data to make it think your driving is perfect. There is no authentication in the OBD2 protocol so there is no way for the dongle to tell the difference between a real OBD2 data feed and a spoofed one.

Re:Spoofing!

[Anonymous Coward]

I've long thought there could be a really lucrative market for OBD2 spoofers.

Okay, so there's a market for insurance fraud hardware devices? Are you planning to sell these on this week's reboot of the Silk Road?

BTW, there's better money to be made if you're willing to commit fraud or other felonies. I say skip the penny ante bullshit and go for credit card fraud. Most of those people get away with it because the issuing banks don't give a fuck due to sticking the merchants with the costs.

HTH.

Protip: not everything having to do with computers or electronic hardware needs a new "...on a computer" law in order to render it illegal. You may have confused this with the issuance of patents, where the addition of a computer algorithm is always considered a groundshaking breakthrough and worthy of allowing someone to rent seek over real innovators. No worries, this is a common misunderstanding. Have a nice day!

Re:

[kilodelta]

The whole thing about fraud against a corporate entity makes me a little bit angry. Who the fuck do those corporations think they are anyhow?

Re:

[MrKaos]

The whole thing about fraud against a corporate entity makes me a little bit angry. Who the fuck do those corporations think they are anyhow?

They're the entity you need to send the money you worked for to, because it's theirs. Now shut up and send more money.

Re:

[drkstr1]

TTWTF is that this is the 20th century thinking that makes such an act illegal (or even considered to be immoral). Insurance companies should be free to price their policies in any manor of their choosing, and we the people should be free to share and spread information to subvert their dirty tricks. Capitalism (as it is practiced) is not suited for the 21st century. It's time for a new economic structure, condusive to an open and free market place of ideas. 20th century thinking needs to die.

Re:Spoofing!

[danlip]

You think it's possible to implement a "new economic structure" that doesn't favor those with wealth and power more that the current one? The only people interested in a level playing field are those not at the top.

Re:

[drkstr1]

Possible, yes. Easy, absolutely not. When has initiating change on a broad scale ever been easy? It is a chore not for the feint of heart, but one that is necessary from time to time.

Re:

[drkstr1]

I would have much rather your +4 insightful mod gone to the people who actually had an interesting/insightful argument against my own. Meh, just goes to show you why you should always browse at 0. That's where all the good stuff is at ;)

Re:

[AmiMoJo]

Most people don't want to become insurance experts or hope that their circle of friends is clued up enough to protect them. They would rather that their government, the people who work for them, regulate the insurers to ensure fairness. It's cheaper and easier for everyone.

Re:

[mysidia]

Most people don't want to become insurance experts or hope that their circle of friends is clued up enough to protect them.

If not for government regulation, both explicitly in complicated arcane rules, and implicitly in the form of allowing ludicrous litigation, liability, and protecting unions, then the cost of both replacing the car and providing healthcare would be so low, that a year's worth of auto insurance would cost $100.

Since it would cost about $2500 to buy a brand new SUV, and a week's st

Re:

[drkstr1]

Simple. Keep capitalism. Make it so ideas and information can't be owned (copyright is OK, but affords no additional protection except for maybe the right to citation to prevent plagerisim aka fraud). In fact, let's just get rid of all the laws except for maybe a few hundred or so. The laws that we keep should be more like commandments (EG though shall not defraud another when entering into a contract). People should not be regulated. Incorporated persons should be regulated only when and if they interfere

Re:

[drkstr1]

PS. The merits would be a more level playing field and upward mobility, and quality of life, at the possible expense of economic efficeincy. But I would argue we are in an age where economic efficiency is no longer needed to improve our quality of life, and may even be detrimental to our long term survival as a species.

Re:

[AmiMoJo]

The merits would be a more level playing field and upward mobility, and quality of life

I really doubt that. What will happen is the scammers will get rich, much as they do now but on a much larger scale. It's already possible to sell a complete POS simply by advertising the hell out of it, and removing regulations on advertising would just make the situation worse.

Quality of life will plummet as people get screwed by dodgy healthcare contracts or people polluting their environment. They could sue of course, but who has the money for that? Prices will probably sky-rocket as well, since the mom

Re:

[drkstr1]

No, that is what we get in now in the current hegemony. The i would even say the system we have now in practice was designed so the liars thieves and fraudsters can gain an unfair advantage. This is why income is unnaturally distributed to the top, rather than a nice clean bell curve, as it should be, according to natural law. What I am proposing simply boils down to a change in our priorities. One that puts the persuit of knowledge, truth, and honesty above all else. All of that behavior you describe coul

Re:

[dave420]

But every single person who files a false insurance claim or pretends to be a better driver than they are is costing everyone else money. Every single one of them. You not being able to tell with a cursory glance doesn't change that...

Re:

[sjames]

OTOH, in the VCR days there was a thriving market in video stabilizers "for the clearest possible picture".

Naturally, the OBDII simulator would be for people who want to develop their own interface devices.

Re:

[sjames]

And there will probably be someone who wants to develop an OBDII interface who will find a simulator helpful.

After all, it's dangerous to debug while driving.

Re:

[TheRaven64]

Macrovision worked by setting the brightness to maximum during the flyback period when the beam is turned off. What kind of device were your friends using where this interfered with the signal? It was a problem for (some) VHS recorders, because they averaged the brightness over the entire frame and didn't ignore the flyback interval, so you ended up with a very dark copy.

Re:

[gl4ss]

it's not the device that makes the fraud.

it's the individual that would put it between the insurance companys dongle and the car that would be making the fraud, but the device itself wouldn't be illegal as such.. it's not doing copyright circumvention or any such thing, so no need to go on silk road to sell it.

certainly it would be 1000 times more legal than ssl interceptors and such which seem pretty popular for corporate/airline networks...

this thing is just that someone realized there was a market for ha

Re:

[0100010001010011]

It would actually be a perfect device for simulating the EPA test cycle. It would be a perfect way to sell it legally. The EPA cycle is "the" test for cars in the US so there are plenty of professionals that would love a tool. Some simulation software starts at $5k/license. (CANalyzer). No one says you have to sell your device with 'encryption' so that the EPA cycle would be replaced with whatever cycle you wanted.

Or you could just do it with a cheap uC board these days. These guys are building a engine EF [rusefi.com]

Re:

[the_B0fh]

How stereotypically Slashdot of you to presume that you discovered a trivially exploited "obvious flaw" in a system that somehow the engineers who designed the system weren't able to perceive or address.

Did I miss something, or isn't the article itself saying that the idiots who designed the system did not perceive nor address the issue?

Re:Spoofing!

[KingMotley]

Perhaps it was perceived, but they determined that the market of people willing to face fines and possible imprisonment so that they can save $10 in their insurance wasn't big enough to warrant the expense of building all that extra security in.

Re:

[camg188]

I can see spoofing the insurance company but what malicious hacks could these dongles do to your car?

Re:Spoofing!

[TheRaven64]

Just to clarify, your question is:

A device can run arbitrary malicious code and is connected to a physical link to your car, to a system that has physical links to your engine management system, and was not written with security in mind, what's the worst that can happen?

Re:Spoofing!

[AmiMoJo]

Not all manufacturers build their cars that. Some have an OBD-II bridge between the port and the main bus that makes the port read only except for a few very specific commands like resetting error codes. That's why if you look at those videos of people hacking a Prius on YouTube they have dismantled the entire dashboard. They had to get to the segmented parts of the bus, the diagnostic port was not enough to screw with anything interesting.

Re:

[TheRaven64]

To be fair, your engine management system should have been designed with security in mind.

Should be? Sure. Is? Absolutely not, in any shipping design.

Re:

[msauve]

I'd think there'd also be money to be made with something similar which produced good readiness values whenever polled by the inspection station (in locations which require that).

Re:

[mjwx]

I'd think there'd also be money to be made with something similar which produced good readiness values whenever polled by the inspection station (in locations which require that).

This is the reason MOT tests still require the mechanic to look at the car instead of trusting the computer readouts.

Re:

[turbidostato]

"So, how can you tell by simply looking whether the catalytic converter is working properly?"

A "mechanic to look" is not just "simply looking". By measuring gases at the exhaust pipe you can know about the catalytic converter's health.

Re:

[msauve]

No you can't, not completely. Why do you think OBD monitoring is required, if everything can be checked through simple inspection?

Re:

[mjwx]

No you can't, not completely.

Actually you can. Simple off the shelf units like this one [corghiaustralia.com.au] measures all the gasses MOT test for. You dont exactly need a mass spectrometer to get an accurate CO2 reading.

Why do you think OBD monitoring is required,

Its not. Why do you think it's required or better yet, why do you think it's accurate?

if everything can be checked through simple inspection?

The MOT test is not a simple inspection. Its not the 14 point inspection the tyre shop uses to entice gullible people i

Re:

[msauve]

OBD monitoring may not be require in OZ, but it is federally mandated in the US. It monitors things which would pass a simple tailpipe test. You're obviously unfamiliar with what it does, and unqualified to comment.

Re:

[sjames]

Actually, they do exactly that for cars built before OBDII. The car goes on a dynamometer and a probe goes in the tailpipe. The tester then runs the car through a standardized set of speeds and durations while the exhaust is measured.

Reading out the OBD is much faster and legislators probably can't even imagine spoofing the data.

Re:

[AK Marc]

I've seen cars tuned to pass emissions with the cat removed. They ran like shit, but you could make them run long enough to "fool" the required tests. It's also not illegal to fool the tests. You can tune a car for the test, test it, then modify it (or swap out "illegal" parts for "legal" ones, test, then put them back). I had that "officially" recommended to me when my mod passed emissions, but didn't pass the visual test. The visual test is performed by Alaska to verify any modifications are approved

Re:

[Lumpy]

you can buy a bottle that you add to your gas tank that will pass a tailpipe test.

Re:Spoofing!

[AK Marc]

yeah, it's called "gasoline".

And they don't work. If you are running rich, you need an oxygenation. If you are running lean, you need an octane booster. They are nearly opposite, so you don't get both in one. So you need to know the problem before you toss in an additive.

Re:

[mjwx]

So, how can you tell by simply looking whether the catalytic converter is working properly?

I expected you to be able to figure out that "look" meant running actual manual diagnostics rather than simply trusting the computer.

My only mistake here was underestimating how stupid you were.

Re:

[jrumney]

By measuring the actual emissions using regularly calibrated test equipment (not blindly trusting what the car's uncalibrated sensors are telling you). The visual inspection is to ensure that the emissions are not also coming out from other places they shouldn't be.

Re:

[wiredlogic]

Some are GPS enabled now which allows cross-correlation with the speedometer and internal accelerometer readings to detect fraud. Granted, you could cage the dongle and let them think it couldn't get a GPS fix from its position under the dash. A spoofer would also need it's own accelerometer to generate believable data under acceleration and braking.

Re:

[cheater512]

The GPS module is (usually) just sending NMEA serial data. Splice the line and you don't need a faraday cage and complicated spoofer.

Re:

[AmiMoJo]

Those boxes are a scam anyway. They don't understand the type of vehicle they are connected to, and they don't understand the road surface being driven on. A lot of young people are getting them fitted to reduce their premiums, and then finding that because they live in a hilly area and have to push the accelerator to the floor just to maintain 30 MPH in their little 1.0 litre super efficient cars the dongle decides they are accelerating too hard. Poorly maintained roads make the accelerometer go nuts, and

Re:

[bws111]

Huh? They use their own accelerometers to measure acceleration, so your 'hills' scenario makes no sense.

Do you know what the insurance companies care about? Risk. All they want to know is how likely you are to be in an accident. Therefore, contrary to your suggestion, they ARE taking into account things like the road surface. If you are 'weaving around pot-holes' and driving on poorly maintained roads you ARE more likely to be in an accident.

Re:

[kilodelta]

I've had the exact same thought. Only the way I thought of it - find the safest driver you know and just plug the device into their car. A low tech solution for a high tech problem.

Re:

[toddestan]

How? I don't know of a way to get the VIN through the ODB2 port, though such a capability wouldn't surprise me terribly with the newest cars. They could try to infer whether the data is consistent with the model of car that's being insured through some of the metrics such as fuel usage. Though the biggest problem would be the GPS showing the car being parked at a place you don't live at, and being driven to a workplace you don't work at.

Re:

[Lumpy]

It is trivial. I can build one with an arduino in 10 minutes. Build one that sits in between so that all the good data is there but it limits the data to acceptable levels so it all looks legit.

Re:

[sjames]

You better watch that talk about spoofing people's dongles. We don't want another scandal.

Re:

[ISoldat53]

I would love to put one of these on a NASCAR car and watch Flo have a stroke.

Re:

[pete6677]

With insurance panda?

Re:

[Bob the Super Hamste]

I don't think I pay $1200 a year to insure all 3 vehicles in my household. It probably cost a little more than $1000, but $1200 a year for a single vehicle seems on the high side of things.

Re:

[Pascoea]

savings

That's a funny joke. I tried the snapshot. What a fucking joke. Three cars: Me, 20 mile daily rush hour commute. Wife, 15 mile "off peak" daily commute. Daughter, car literally sat in the driveway for the three months, with the exception of 2 trips from Minneapolis to Fargo and an occasional trip to the gas station around the corner. Me: 0% (ok, I expected that.) Wife: 3%, daughter 3%. Seriously? What do you have to do to get their 30%?

Hello insurance fraud

[Dan1701]

The most obvious reason for an attack here is to commit insurance fraud. At present, an insurance company is forced to base an insurance premium on all the meta-data they can possibly gather about the prospective client, excepting their sex if they are in the EU (although this may well lead to a quite astonishing number of men called "Sue", if insurance companies attempt to bypass this and link first names to insurance risk).

A data-gathering dongle would seem to offer a much better deal, allowing the company to charge more if the user indulges in risky behaviour of some description.

A possible reason for hacking into the module would therefore be to falsify the data sent back to the company; a boy racer who regularly breaks speed limits, corners absurdly fast and brakes late if at all would gain substantially from a fraudulent data recording which portrayed him as someone with the driving habits of an octogenarian grandmother; such a person might also think that the gamble of sending such phoney data was well worth the savings when set against the fairly low risk of getting caught.

It therefore worries me that companies are this lazy when building such equipment. It really doesn't take all that much to keep out the majority of crackers right from the start, and as the skilled ones are in the minority, taking a little care initially would pay dividends down the line.

Re:

[msauve]

Yes, this.

Where's the proof of concept firmware which generates a fake, slightly randomized weekday round trips to work at speeds below the limit, and totally ignores real world driving?

It seems to be mainly the interest of the insurance company to add security, not the user's.

Re:

[Culture20]

The problem with such a program is that the insurance company has the data from other dongles on the same roads. Presuming there are timestamps on the accelerations, they can model traffic flows. If everyone is stopped at a stoplight in the reconstructed model but your fake data shows you driving through the light at speed limit minus one, their analysis program will know something is wrong with your data. Investigation ensues.

Re:

[msauve]

You think a company who doesn't bother with even simple security is going to do that?

Re:

[BarbaraHudson]

There's a problem with that scheme. The fake dongle says you got from point A to point B in much more time than it took, right? So what happens if, at point B, you're in an accident? The fake dongle won't sent the right data for that, at the right time, and probably witnesses and the other driver will also give the right time (esp. if the other driver has a real dongle).

Also, a car tends to sustain much more damage from a 60 mph impact than a 25 mph impact.

Re:

[Mal-2]

There's a problem with that scheme. The fake dongle says you got from point A to point B in much more time than it took, right? So what happens if, at point B, you're in an accident? The fake dongle won't sent the right data for that, at the right time, and probably witnesses and the other driver will also give the right time (esp. if the other driver has a real dongle).

Also, a car tends to sustain much more damage from a 60 mph impact than a 25 mph impact.

You don't adjust the arrival time at point B, you adjust the departure time from point A.

Re:

[BarbaraHudson]

And the excess damage?

Re:

[turbidostato]

"And the excess damage?"

What excess damage? You (the insurance company) have the data, and here is my car. There's no "excess damage", just "damage".

Do you think (the insurance company) that my accident should render less damage? That's not my problem, I'm neither a materials engineer, nor I designed my car.

Do you think I commited fraud? Why do you think so? Maybe because you know your devices are easily hackable? Maybe I should sue you (the insurance company) for puting me at risk for your lack of due

Re:

[beelsebob]

"And the excess damage?"

What excess damage? You (the insurance company) have the data, and here is my car. There's no "excess damage", just "damage".

Do you think (the insurance company) that my accident should render less damage? That's not my problem, I'm neither a materials engineer, nor I designed my car.

Do you think I commited fraud? Why do you think so? Maybe because you know your devices are easily hackable? Maybe I should sue you (the insurance company) for puting me at risk for your lack of due diligence.

Yes the insurer absolutely will think you committed fraud. Then their very first step will be to ask the police for an accident report. The police will then report that the skid marks indicate that the car must have been travelling at at least 50mph, not the 20mph indicated by the dongle.

Believe me, when that is put in front of a judge, your "putting you at risk" charge is going to be thrown out, and their fraud charge is going to hit you square between the eyes.

Re:

[turbidostato]

"the insurer absolutely will think you committed fraud"

Absolutly yes, of course. Heck! they probably default to think there's a fraud even if lacking any evidence.

A very different thing is for them to *demonstrate* there's a fraud or, at least, being a civil case, that it heavily smells like fraud.

"The police will then report that the skid marks indicate that the car must have been travelling at at least 50mph, not the 20mph indicated by the dongle."

And the insured will claim that his coverage is bound to

It's a gamble

[swb]

It's a gamble between two opposing forces of insurance:

1) On one hand, insurance companies are bureaucracies and handling claims is a bureaucratic process with a certain amount of inertia, where obvious fraud needs to be caught but time/people/resources don't exist to fine-grain protect against all possible marginal fraud, otherwise the system would grind to a halt. A tracking device with a minor deviation from observed damaged may just get written off as the strangeness of physicals or the brittleness of

Re:

[AK Marc]

You don't expect to get caught. Also, you time your "fake" trips to be well off from your regular routine. The dongle will be sending back "parked in the garage" at the time of the crash. Then you just plug it in and claim it must have malfunctioned. Just because you are too dumb to fool someone else, doesn't mean we all are.

Re:

[sjames]

There would be limits, but it could do things like changing wide open throttle to accelerate to speed in 2 seconds into moderate throttle to come to speed in 4 seconds.

As long as you don't diverge too far from reality, the rest can be explained well enough by inaccuracy in the hardware. In some places GPS gets really inaccurate normally.

I'm not saying it's a good idea, just that it's close enough that there will be people trying it.

Re:

[DarkOx]

See the trouble with that is unless he can be sure, that in the event of an accident he is able to remove the device and conceal any evidence of tampering, at the scene he will be awful unhappy when they deny his claim and prosecute him for fraud.

All the fancy computer security aside, they could probably just use one of those stickers that leaves 'void' behind when you pull it off applied by the agent across the device where it meets the ODBII/III connector.

Re:

[DarkOx]

The vast vast majority of municipalities and vehicles are not subject to emissions testing. So for most people it won't be an issue, except when if diagnostics are needed.

Most mechanics are already pretty used to applying stickers etc, where states/counties require safety inspections, if customers want the convenience I am sure the major insurers can mail these folks a roll of stickers they can reapply; under threat of not being able to obtain additional stickers and inconveniencing their customers if the

Re:

[silas_moeckel]

Or we can just ban these idiotic things, whats next health insurance companies stapling pedometer's onto people get a lower rate?

Insurance is supposed to be about aggregating risk, the problem is the lower end of the risk pool is paying more then the out of pocket they could expect and leave the pool if they can. Auto insurance is harder to leave you have to drive (if you want to live outside an urban envirnment) and it's not optional.

Re:

[Bing Tsher E]

whats next health insurance companies stapling pedometer's onto people get a lower rate?

You don't think those bluetooth 'fitness monitors' that are popping up in the market won't eventually be used to 'provide insurance customers with more preferable rates' if they wear one connected to an Insurance Companies database?

Citizen! We are all in this together. We all pay for each others' healthcare. It in in all of our interests for EVERY citizen to live an optimally healthy lifestyle.

Re:

[Gilgaron]

I'm not joking: they gave us pedometers at work to get a lower rate on our health insurance. It is optional, of course. You can look it up, they're using Virgin Pulse, I imagine there are many others. You get even more discount if you make up meal plans and on and on.

Re:

[ruir]

Can your dog walk your pedometer around home?

Re:

[silfen]

It therefore worries me that companies are this lazy when building such equipment

Among all the areas in daily life where companies can hurt me through weak security, this is way down on the list.

My first concern? Probably that US banks and credit card companies should start using smart chips, two factor authentication, and reliable notification, all of which are easy to do and widely used elsewhere.

Time for the Ransomware

[RichMan]

If you want to drive your car again, send $500 to .... until then the ignition is locked.

Re:

[rmdingler]

Is there any room to name one's own counteroffer with the price gun?

Re:

[wierd_w]

except that the firmware in the ignition control system of the vehicle is written on actual PROM chips, not EEPROM chips, because they have to operate in a hazardous environment. (Temperature extremes, moisture intrusion, dirt, corrosion, etc.) Voltage spikes from slowly decaying wiring, or other sources of irregularity can damage an EEPROM's contents, where a PROM will just burp a little, then be fine after the irregularity. (assuming it isnt a very large spike that can kill silicon anyway)

This means that

Re:Time for the Ransomware

[Minupla]

Just as a point of interest, there was a talk at Defcon last year where someone built a IPS (intrusion prevention system) for the bus of the car. It turns out that the communication matrix for a car is a very static system. The parts of a car that communicate with each other do so often (e.g. Engine controller and injection system), and predictably. Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do. So it's possible to build a device that models the system by listening on the bus and if it suddenly sees new traffic patterns shorts out the bus, leaving you with a less smart, but still on 4 wheels and not careening into oncoming traffic, car.

Seems like something the OEMs should be looking into.

Min

Re:Time for the Ransomware

[wierd_w]

No need to do such extreme damage, when the same effect can be achieved with a simple fuse on the positive voltage line of the port. Suspicious activity? Burn the fuse-- BAM-- port is dead, but easily fixed.

However, this would require a "smart" component inside the dash, between the actual ignition control system/ACS system, and the ODBII port interface. Such a device would need to have a reference pattern to check current communications against, and would need some level of processing capacity to compare realtime engine diagnostic data and bus activity against the reference. (Does not need to be fancy here, but this does imply the ability to program a new reference pattern later, especially if the system is fully adaptive to changing engine conditions over time.)

This then places some significant implementation considerations on the vehicle manufacturer-- this device has to somehow be able to be field-reset at a dealership if it gets confused after having the engine serviced, and also needs to have nothing but read-only access to the engine's control system. The only thing it should have "write" access to should be the fuse. (And maybe an indicator lamp)

However, given the less than spectacular implementations of integrated devices in modern vehicles (in terms of security, and security oriented design/implementation) I question if such a device would be properly implemented.

I get the sneaky suspicion that the automaker would be ... "tempted" ... by dealerships and other retailers in the market to integrate lojack functionalty into the security device, thus making it itself into the target of exploits. (Otherwise, the purposeful activation of the intrusion failsafe would render actual lojacks incapable of stopping cars, by disabling the communication bus. This means removing the fuse would essentially disable such countermeasures.) This would then make "remove the dongle" no longer an option.

When presented with a choice between "properly implemented security" and "Pressure from their customers" (Auto manufacturers RARELY, if ever, sell directly to the public. THEIR customers are the dealerships.) , I expect automakers will choose to placate their customers every single time.

Re:

[Minupla]

No need to do such extreme damage, when the same effect can be achieved with a simple fuse on the positive voltage line of the port. Suspicious activity? Burn the fuse-- BAM-- port is dead, but easily fixed.

Doesn't protect against other attack avenues that have either been hypothoized or demo'd though. The entertainment unit always seems popular. Trojaned CD in the player, for example or exploit against the bluetooth system. Hey I wonder what happens to that cute bit of software that displays what song t

Re:

[mjwx]

Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do.

Most systems will have some kind of physical security, the entertainment system wont be able to communicate with the AWD system. Engineers are pretty bright and know that if you could issue a command from the bluetooth on the stereo to send 80% of the power to the back right wheel at highway speeds it would be a very bad thing.

However the ransomware doesn't need t

Re:

[Lumpy]

I can rewrite the OS in my ECM and BCM at any time they are EEPROMS and FLASH not PROMS.

Maybe back in 1988 they were PROMS, today's cars are field programmable, Hell BMW's have been field programmable since the 90's.

  I've been hacking on cars for hotrodding for 20 years and ALL OF THEM have been easily modified for decades. Up to 1998 you had solidified chips but the Advent of ODB-II had field programmability very VERY common.

Re:

[wierd_w]

That's unfortunate... I can see why it would be desirable by the manufacturer and dealer, (as it would enable quite a few shady practices by both), but I question how stable EEPROM is compared to PROM in the hazardous environment under the hood or dash. (I know some modern systems are installed under the center console between the front seats, and some are installed under the passenger or driver seat, but this is still a problematical location in terms of operating environment. Still has large fluctuations

Re:

[tibit]

how stable EEPROM is compared to PROM

Electrically-programmable fused PROMs suffer from bit rot and simply are not made anymore. I hate the damn things with a passion, they are one of the causes of good legacy test equipment turning getting bricked. The legacy OTP EPROMs require high voltage for programming and the only concern with them is slow charge decay. These days, it's FLASH all the way.

Alas, you're making up imaginary problems. Every high-rel firmware-based system will not only verify the integrity of the firmware upon boot-up, but con

Re:

[Lumpy]

It's not as filtered as you think. A single shorted sensor can and does cause other problems in car ECM's. BMW E30 ECM if the oil level sensor shorts out will cause other sensors to read as failures as well as power brown outs tot he processor causing major issues.

Car electronics are only built a step up from consumer electronics nowdays. It's quite a joke as to how crappy the engineering in all the electronics in a car are.

Re:

[Lumpy]

Older cars the Spark and fuel tables WERE a part of the firmware, in fact every time I flashed a new EEPROM for the 7730 ECM I rewrote the whole thing. I even went as far as used a larger EEPROM and tied the highest Address line to a switch so I could write multiple copies with different tables in the single EEPROM and flip a switch on the fly to go from street driving for smooth and decent gas mileage, to racing with aggressive spark tables and dumping in fuel like a banshee. the CPU in the 7730 did not

onStar?

[Black Parrot]

What do we know about the security of systems such as onStar?

Re:onStar?

[DigitAl56K]

That's a very valid point, but let's not pretend that you couldn't have the benefits of OnStar without most of the nasty privacy issues. A limit on data retention, clear indication when the device is listening in, and not selling subscriber data to the government would resolve a lot of the criticism.

Privacy vs Security

[MrKaos]

Whilst it's a little twist on Franklin's words it is appropriate. People who give up their vehicle data privacy for lower cost insurance premiums in time will for premiums up for people who choose not to use one of these dongles.

I'm glad the insurance companies are so lax with those peoples security as to make them a target for crackers. It shows they are subject to the same type of contempt the insurance companies demonstrated in the first place. People too insular to be concerned deserve to be subject to every exploit there is.

Direct connect

[jklovanc]

From the article.

By hooking up his laptop directly to the device he says he would have been able to unlock doors, start the car and gather engine information, but he chose not to “weaponise” his exploits

SO only direct connect has been proven.

The researcher noted that for a remote attack to take place, the concomitant u-blox modem, which handles the connection between Progressive’s servers and the dongle, would have to be compromised too. Such systems have been exploited in the past, as noted in a paper here from Ralf-Philipp Weinmann, from the University of Luxembourg.

Remote access has only been shown by similar systems.

Call me when you can actually show a remote exploit through the dongle.

Re:

[tibit]

The problem is that you have a system that's not inherently safe - it merely rides on the unproven safety of one single component. A resilient system would have many barriers that you have to break down in order to gain access. This one has just one. For all we know, it has already been broken.

Seriously

[nospam007]

I had a client who actually bought holy Mary anti-virus stickers to put on the outside of the computer.

OBD II Condom

[PPH]

There might be a market for a defice that can be placed between any such 'required' dongles and a vehicle's actual systems. Something that can pass certain data in only one direction (read-only vehicle parameters) and block requests (and spoof handshake signals) should dongle attempt to make an unwanted request of the vehicle's systems.

I can also see a market for such a device where emissions tests are done by reading the data port. Just tell the port filter to always reply with an 'all is well' code.

Wrap it in a mylar bag or aluminum foil.

[Virtucon]

If you're worried about it, solve the problem at the communications layer. Wrap the dongle in such a way that it can't transmit or receive data. "What you're not getting the data? Wow that's strange. I have it plugged in." Either that or find another insurance company that doesn't track you. The fact that you've allowed a device to track you in the first place means that you've exposed yourself to risks, some overt such as your lead footed behavior is know a known quantity and inadvertent in terms of a

Re:

[rudy_wayne]

That most people don't give a damn about security "because it is hard"?

Actually, security is not hard. But, security done properly requires you to commit substantial resources -- people, time, money. And that cuts into profits, so most most companies are not interested.

Re:

[Culture20]

Some companies will happily spend money and people on the security problem, but individual people within the company refuse the spend the time, using workarounds to skip having to deal with security. Sometimes this means using the computing resources nonsecurely, but other times it means avoiding using the computing resources.

Re:

[mysidia]

other times it means avoiding using the computing resources.

Or using different resources... such as Dropbox for file sharing, instead of file server and VPN client.

Re:

[Darinbob]

Adding security features gets in the way of the primary goal, which is to sell the product to unsuspecting companies.

Re:

[tibit]

It's not hard, it's simply not part of the usual product specs. The device is supposed to do stuff, that's the primary thrust when doing the development. The mindset of the entire industry must change before we start expecting things to be secure but otherwise buggy first, not - as it is now - functionally perfect but insecure.

Re:

[PopeRatzo]

Progressive in press release say 'we hypothesize it's because nerds don't party or stay out late'

Nonsense, I've been to board game parties where 6 of us went through almost a whole quart of 3.2 beer. We rocked the house until almost 10:30pm. I mean, it was a work night after all and I had to get home to watch the DOTA2 quarterfinals on Twitch.tv.

Re:

[mrchaotica]

In some areas, literally 100% of drivers are speeding. Does that mean they're all selfish assholes, or does it mean the speed limit is too low?

Re:

[sjames]

It can cause psychiatric symptoms in some...

Re:

[PPH]

Wow. I wonder what I'd do if my State Farm agent pulls this stunt on me. My cars predate OBD II or any other diagnostic ports by a few decades.

I'd be happy to put them in the ashtray or something.

Re:

[Bob the Super Hamste]

I'd tell them they can install it on my vehicle and let them sort out a positive ground pre-emissions little british roadster. Of course the Lucas Electric components may let magic smoke out of their device but it wouldn't be my problem.