Dude, where’s my car? Vehicle hacking trends & analysis – #7 in the series

March 31 Webinar

Disclaimer. The disclaimer from the 1st in the series completely applies to this and all further additions to the series of articles.

Hardware Attack-Dongle

Third parties are reviewing their options as to different manners to market their services to vehicle owners. One of the more prolific examples of this lately has been the dongle which plugs into the OBD-II port. A number of insurers have been marketing these as a way to lower the vehicle owner’s vehicle insurance.

A recent example of this, which has not been openly exploited yet, is the Verizon Hum. This piece of equipment “…turns almost any car into a smarter, safer, more connected car…” per Verizon. This service allows for vehicle diagnostics, roadside assistance, speed and location alerts, driving history, stolen vehicle location, and noting where the owner parked the vehicle.

The equipment from Verizon consists of the dongle which plugs into the OBD-II port, a Bluetooth speaker that clips to the vehicle’s visor (used with roadside assistance and emergency help), and the app on the owner’s smart phone.

As part of the service, there are contractual obligations in the Terms & Conditions (T&C) agreement. Notably,

  • In the privacy section, the client is allowing the Hum system to collect data regarding the vehicle’s use and performance,
    • This information may be shared.
    • They may combine this information with others to gain insight on the HUM users.
  • Your Responsibility
    • The client will notify Verizon immediately of any breach of security or unauthorized use.
    • The client will not reverse engineer, disassemble, remove, alter, circumvent, or otherwise tamper with any security technology,
  • Ownership/Confidentiality
    • The client will not publish, broadcast, retransmit, or otherwise reproduce the information…Any violation…is an infringement of copyright or proprietary rights…”

After reading this, there were several questions that were unanswered, including:

  • How is the data collected?
  • How is the data collected from the Hum in the OBD-II port to the Bluetooth or to the Verizon servers or to third party vendors (e.g. car breaking down)?
  • Who is the data shared with?
  • How is the account password stored?

Verizon was asked regarding the Hum device via a post on the Verizon Support website community on May 1, 2016, another post on the Verizon Wireless Facebook page on May 1, 2016, and the Verizon Facebook page on May 3, 2016. As of May 8, 2016 there was no response. Finally, Verizon was called on May 9, 2016. “Ken” was spoken with re: the security protocol. His response to the broad question regarding the security protocol was “I don’t know”, however he did state the method “Don’t transmit in clear text I believe”.  This provided little comfort as it relates to security and potentially provides for an additional endpoint to analyze and attack.

A vendor with more of a security focus is Allstate. The insurance agency has the Allstate Drivewise Mobile App. Allstate was also exceptionally prompt in responding to questions, which was greatly appreciated. With their service, the clients are in good hands. Their app does the work with a mobile app and not third party equipment being plugged into the vehicle’s ports. This works with collecting GPS data through the phone. The security is managed through the smart phone and app on the smart phone.

Learn more ways to protect your business at The National Cybersecurity Institute.

Source

Verizon. Hum: The technology designed to make your car smarter, safer, and more connected. Retrieved from http://www.verizonwireless.com/landingpages/hum/

 

Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.