Hardware Attack-Dongle
Third parties are reviewing their options as to different
manners to market their services to vehicle owners. One of the more prolific
examples of this lately has been the dongle which plugs into the OBD-II port. A
number of insurers have been marketing these as a way to lower the vehicle
owner’s vehicle insurance.
A
recent example of this, which has not been openly exploited yet, is the Verizon
Hum. This piece of equipment “…turns almost any car into a smarter, safer, more
connected car…” per Verizon (http://www.verizonwireless.com/landingpages/hum/).
This service allows for vehicle diagnostics, roadside assistance, speed and
location alerts, driving history, stolen vehicle location, and noting where the
owner parked the vehicle.
The
equipment from Verizon consists of the dongle which plugs into the OBD-II port,
a Bluetooth speaker that clips to the vehicle’s visor (used with roadside
assistance and emergency help), and the app on the owner’s smart phone.
As
part of the service, there are contractual obligations in the Terms & Conditions
(T&C) agreement. Notably,
·
In the privacy section, the client is
allowing the Hum system to collect data regarding the vehicle’s use and performance,
o
This information may be shared.
o
They may combine this information with
others to gain insight on the HUM users.
·
Your Responsibility
o
The client will notify Verizon
immediately of any breach of security or unauthorized use.
o
The client will not reverse engineer,
disassemble, remove, alter, circumvent, or otherwise tamper with any security
technology,
·
Ownership/Confidentiality
o
The client will not publish, broadcast,
retransmit, or otherwise reproduce the information…Any violation…is an
infringement of copyright or proprietary rights…”
After
reading this, there were several questions that were unanswered, including:
·
How is the data collected?
·
How is the data collected from the Hum
in the OBD-II port to the Bluetooth or to the Verizon servers or to third party
vendors (e.g. car breaking down)?
·
Who is the data shared with?
·
How is the account password stored?
Verizon
was asked regarding the Hum device via a post on the Verizon Support website
community on May 1, 2016, another post on the Verizon Wireless Facebook page on
May 1, 2016, and the Verizon Facebook page on May 3, 2016. As of May 8, 2016
there was no response. Finally, Verizon was called on May 9, 2016. “Ken” was
spoken with re: the security protocol. His response to the broad question
regarding the security protocol was “I don’t know”, however he did state the
method “Don’t transmit in clear text I believe”. This provided little comfort as it relates to
security and potentially provides for an additional endpoint to analyze and
attack.
A vendor with more of a security focus is Allstate. The
insurance agency has the Allstate Drivewise Mobile App. Allstate was also
exceptionally prompt in responding to questions, which was greatly appreciated.
With their service, the clients are in good hands. Their app does the work with
a mobile app and not third party equipment being plugged into the vehicle’s
ports. This works with collecting GPS data through the phone. The security is
managed through the smart phone and app on the smart phone.
No comments:
Post a Comment