
An insurance company’s API exposed customers’ car location histories - ilpianista
https://www.andreascarpino.it/posts/how-my-car-insurance-exposed-my-position.html
======
thavch
Having worked in the connected car/telematics industry for a while as a
contractor, I can very well relate to this and can confirm that the security
systems in place inside the car's telematics unit is not good enough. For
example, in one of the oauth process of authenticating a car with the cloud,
the VIN was passed around as a client secret and MDN of the modem as the
username ! We recommended to immediately stop this practice, but the "IT" dept
of the automotive maker said, " You know we sell cars, not security software."
There is no budget to rewrite the mechanism, and the telematics unit cannot be
updated OTA. The upgrade requires customers bringing the car to a dealer and
USB stick updates etc.

I believe the frequent bursts of data from the car was given to insurance
companies. Or they were trying to package insurance deal along with the car
sale or something.

------
scarface74
No mention of the irony of someone who doesn't use Google Play Services
because he only uses open source software being willing to attach a device to
his car, running closed source software, that tracks everything he does in his
car?

~~~
TillE
I think I have a similar attitude. I have Google's location tracking on, but
search history, YouTube history, etc turned off. I'm much more sensitive to
digital privacy because it has complex, wide-ranging implications, whereas my
location is a limited set of data that I'm more comfortable sharing with a
semi-trusted company.

~~~
chopin
I wouldn't want to know a company when, how often and which doctors I consult
for one. If you don't want to share your search history you may not want to
share your location data either. I would see these as equivalent.

~~~
pyre
> I wouldn't want to know a company when, how often and which doctors I
> consult for one.

Depends. A lot of doctor's offices are in "medical parks," so it's entirely
possible they don't know _which_ doctor you are seeing or why. They have
easier access to that information via your calendar (if you use it) than your
location.

~~~
stronglikedan
Also, even if you did go to a doctor's office in the middle of nowhere with
nothing else around and only one doctor working there, that doesn't mean _you_
are there to see the doctor.

For that matter, your location data couldn't be proven to be _yours_ on merit
alone. Anyone can be using my car, and anyone can have my phone, at any given
time.

------
kosma
Until there is some kind of law in place that makes companies financially
responsible for this kind of blunder, it will proliferate. In the current
state of affairs it's simply not economically justified to implement proper
security.

~~~
proaralyst
I have a feeling it's a subtly different problem: the people they've
contracted to build this just don't understand security. They've evidently
attempted to secure this, just in completely the wrong manner!

~~~
jacquesm
Here's an interesting thought: what with the money there is to be made in
security these days programmers that actually know everything there is to know
about security will leave applications development.

There is a good chance that the lure of security consultancy $ is resulting in
a degradation of the quality of the applications.

~~~
bkkssnn
Are you saying developers in general are subconsciously making low security
products to raise the $ in security jobs globally, because they _might_ some
day switch career?

~~~
klez
No, they're saying that if the money is in security, developers that know
about security will go to security, and whoever remains as a developer will
not be good at security.

------
jstanley
So they had this vulnerability live for 3 years, didn't even pay a bounty, and
they _still_ don't get named or shamed? What incentive is there to do a better
job if they can just do a shitty job and nobody finds out?

Name and shame, please!

------
Spooky23
I can't believe that anyone would voluntarily sign up for this. Frankly,
insurance isn't that expensive.

Having a little third party controlled snitch hooked to your car is a security
issue, period. The fact that the implementation is a shitshow is just icing on
the cake.

~~~
Normal_gaussian
at £1400 last year my insurance is expensive. Partly due to living in a city
and using on street parking but mostly due to my age (<25). My mother, who had
the same model, paid £250.

The 15% discount for taking a black box still isn't worth it for me however.

~~~
Spooky23
Wow!

Being part of a late 30s couple with pretty boring driving history in a small
city pays I guess. I pay like $700-850 (depending on how you break out
umbrella liability cost) for maxed out coverage in an above average cost US
state. I think I paid around $1200 when I was a dumb kid with tickets. :)

Even if there were siginifciant savings, it wouldn't be worth it to me to have
that kind of telemetry being gathered. It can only be used against you in a
accident situation.

~~~
gambiting
Over here there's no choice in the limit of cover - EU mandates that every car
insurance _has_ to cover 5 million Euro in personal damages and 3 million in
property damage. The only "optional" thing is whether you want to get
comprehensive insurance which covers your own car for the damage caused by
yourself - but 3rd party liability is always set to that 5 and 3 million by
law.

I guess you could buy some specialist insurance which would cover more but
unless you are planning on crashing into multiple Bugatti Veyrons, it's pretty
much impossible to hit that limit.

~~~
lanaius
Interesting, that's nowhere near the level of insurance (it's significantly
higher) than what even non-cut-rate insurers will recommend for most drivers
in the states. After changing providers, we pay $1400 for two cars with
$100,000/$300,000 (individual/total) injury and $100,000 in property coverage.

~~~
Spooky23
I think a big difference in the US is that there's usually no fault for
personal injury, so the liability is pooled.

------
leephillips
Terrible, but they did fix it rather quickly once the flaws were disclosed.
Given many other such stories, the almost expected outcome would be to deny
the problem, have the discloser prosecuted or sued, and put out a fix six
months later that made things worse.

------
libeclipse
What's the point of hiding the identity of the company here? The issue has
apparently been fixed and I'd rather know which company had it so that I can
avoid them.

------
sofaofthedamned
It's a shame he can't name the telematics company. I have a suspicion it's one
I interviewed at a few years ago.

~~~
jacquesm
Funny, you don't name it either.

~~~
GavinMcG
Naming it on a suspicion alone would be irresponsible.

~~~
jacquesm
That's a qualified statement, there is nothing irresponsible about that.
Telematics companies bear close watching anyway. Right now it is as far as I'm
concerned a content free statement.

~~~
GavinMcG
It's absolutely irresponsible, even with qualifications, given what we now
know about how people use that information. Witch hunts happen even with
qualified statements, and down the road people who read qualified statements
tend to forget the qualification and give the negativity more weight than it
deserves.

~~~
sofaofthedamned
Thank you.

Knowing like most industries, the layers of ODMs and OEMs etc, it's hard to
pin down who exactly is responsible for a security cockup. And, funnily
enough, having an interview there I wasn't inclined to do a recce on their
infrastructure. Also, not having a device, I didn't have endpoints or traffic
to test.

------
Beltiras
Post-GDPR this would have resulted in a 20 million euro fine.....

~~~
EwanToo
Could have, not "would" have - the fine is variable. I doubt it'll get
enforced regularly.

~~~
Beltiras
The GDPR is vague but the description details shockingly vulnerable APIs that
do not come close to "industry best practices". They would have been made an
example of.

------
OliverJones
The EU and its member countries are still interested in personal privacy. Do
they regulate insurance providers? Could EU, or Italy, exact a penalty against
this provider for failing to do the most elementary of penetration tests on
this system? Perhaps some of the penalty should be a return of premium
payments to customers whose information was potentially exposed.

The point is to make the business-risk managers in other provider companies
say to their executives: "We cannot take the risk of skipping cybersecurity
hardening. If we do skip it and we get caught, our business will be forced
into bankruptcy."

------
wtbob
Note that with the latest changes to Android, using mitmproxy to analyse the
behaviour of apps has become impossible: apps refuse to accept personally-
installed certificates.

In the future, we'll see less revelations about this sort of thing, not
because it has become rarer but because Google have chosen a course of action
which obscures it.

(it also breaks things like personal or corporate CAs, but that's a different
problem)

~~~
pyre
It's also hardening against malware basically doing the same thing that
mitmproxy does though.

~~~
mhils
For Android < N, if you install a custom CA, you'll get a permanent "Network
may be monitored by an unknown third party" notification that cannot be
dismissed and stays across reboots. Android wasn't really "insecure" in that
regard beforehand.

Your point is valid, but I think it's a negligible improvement that comes in
hand with severe implications for privacy research.

------
draw_down
When my insurance company offered a discount to use one of these devices a few
years back, I smelled a rat. I figured they would use it to observe how fast I
drive vs the speed limit so they can decide how "safe" of a driver I am or
whatever. But also my insurance is very inexpensive so discounts on it are not
a big motivator.

I guess location tracking would make sense too, so they can bust you if the
car stays in a place other than where it's insured for. Or god knows what
else. All of this shit is only going to get worse, a lot worse.

------
red_hairing
it's really sad how young online political activists have adopted privacy
issues instead of adopting issues like workers rights, vacation time, pay, a
strong welfare state, universal healthcare etc...

~~~
pjc50
Generally they _have_ adopted a lot of those, but privacy is kind of our
specialisation as tech people. Often we see it as a necessary prerequisite to
the others. Especially worker's rights: mass surveillance is used against
worker organisation.

Dismissing people focusing on "X" instead of "Y" is useless and disruptive.

