Driving (cyber) security
Paco Hope asks if black boxes can make our cars and lives less safe instead of safer
Paco Hope, principal security evangelist, Cigital
According to the British Insurance Brokers Association (BIBA), the number of drivers with ‘black box' telematics car insurance has increased by nine percent since December 2013, with 323,000 live policies compared to the previous 296,000. Drive IQ has also predicted that one in four car insurance policies will be telematics-based by 2020. But can these black boxes make our cars or our lives less safe, instead of more safe?
Car hacking is on the rise, as demonstrated by hackers in the last year, but how can this affect the insurance industry? Can insurance companies suffer fraud if a box is hacked? Can drivers face safety issues because they have telematics boxes attached to their cars?
Most telematics devices are single-board computers that have all sorts of data acquisition circuits – like GPS and motion sensors – as well as communications radios like Bluetooth and cellular data (eg, GSM). They connect to the car's internal network to get data from the vehicle directly, like RPMs, fuel usage, speed and engine status. All the car's functions, such as brakes, speedometer, airbags and entertainment systems all connect to this internal network. In principle, these black boxes can determine how fast the car was travelling, how loud the stereo was or whether the ABS was activated when a driver hit the brakes.
Between the device's own sensors and its always-on internet connection, there's no hiding from it. It knows where you are on the planet, how fast you are going and what else is going on. This data is frequently streamed raw to the cloud where it is processed. This is where a lot of issues come into play.
The industry watched the Jeep Cherokee hack last year with interest. It sparked concerns about similar incidents in other models and other systems. Fundamentally, the Jeep had a direct connection from the internet to the car engine, and every internet connection is a two-way street. A malicious user may not be able to connect directly to the black box – and therefore the car – but it is possible to control the network the box talks to. For example, what if a hacker created a fake mobile tower and convinced the device it needed a new firmware update? Often these devices do little or nothing to verify the authenticity of software, so nearly anything could be loaded and run on the device. Users could potentially reprogramme their telematics boxes to stop sending certain kinds of information to insurance providers; they could use hacked boxes to upload falsified data. Insurance companies need data integrity for their pricing and risk management to be successful.
Data integrity on the road
Why does an insurance company believe the black box data coming to it is definitely from the device it claims to be? Why do they believe it's from a device at all? If they have created a secure device that can't be tampered with or impersonated, perhaps it is trustworthy. Since there is real incentive for fraud, and profit to be made from selling black market modifications to these boxes, insurance companies should ask themselves how they're ensuring the integrity of the data. Consider commercial drivers: if they drive safely, they can receive preferential rates. If they were able to drive recklessly and far faster than the speed limit, they might earn more money driving without being penalised for their risk taking.
What about privacy issues?
The average consumer is sharing all this information without any sort of filter. They can't control the device and can't determine when they do or don't want it to track where they've been. The insurance company can use this data for its overt purpose – pricing insurance – but it can easily sell the data to third parties. For example, an insurance company can sell data about drives to and from supermarkets to the grocery store chains – the consumer rarely has any control over the data being collected or how it is shared. They are presented with a one-time agreement to terms and conditions and their choices are to accept them or not. Few controls exist to let consumers make choices about their data and although the insurance industry is highly regulated, few laws limit what companies can or can't do with the data they collect.
Is your device trustworthy? How would you know?
Consumers need to be concerned about the trustworthiness of the device they have fitted on their car, but they have few tools to evaluate its integrity. They are streaming data about themselves back to these companies but have little visibility of what that data is, and fewer ways of exercising control.
What does all this mean?
Putting all of this together, connected cars represent a complex system for which emergent behaviours will manifest. Data monitoring using black box telematics produces significant benefits to both insurers and drivers. But the software and hardware are still young, unfamiliar and unregulated. The devices create both safety and privacy risks that impact drivers, insurance firms and auto manufacturers. Ensuring the separate pieces of the system have had comprehensive security risk identification and mitigation is crucial to all who use and interact with automobiles. Without this comprehensive view at the earliest stages of development, unintended consequences will be discovered and exploited.
Contributed by Paco Hope, principal security evangelist, Cigital