The telematics industry suffered a bit of a set back this month, when it was found that the hardware used US insurance firm Progressive, for its telematics tracking, could easily be hacked, potentially exposing the data of some two million drivers across its network of customers. Considering the telematics used by Progressive are also employed by Australian company QBE, many of its customers were concerned that their data too may be at risk. To clarify, QBE has now come out and stated that that is not the case and in-fact, even said that its security is far better than that of its American counterpart. If you are looking into having a telematics box fitted to your car you might want to read a telematics box review so you are informed about anything from telematics box direct line to telematics box Tesco.
Unlike Progressive’s system, QBE’s telematics ‘black-box’ doesn’t store any local data for the driver at all and has many more security measures in place to prevent it from being compromised. In comparison, Progressive’s device has no security features whatsoever, so when security researcher Corey Thuen, from Digital Bond Labs took it apart and tried to figure out what he could do with it, it turned out to not be much of a challenge at all.
What’s potentially scary about this, is that it would let hackers gain access to the vehicle’s internal network, as well as steal data from it. That means that with a little tinkering it might be possible to use a telematics device like the one sent out by Progressive to its customers, to gain control of certain functions of the vehicle. Some even believe it could allow for a nefarious individual to take control of the car entirely.
“The firmware running on the dongle is minimal and insecure,” Thuen said (via Forbes). “It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever.”
Thuen also said that the technology in the devices was outdated and ill-equipped to deal with the theoretical individuals out there that may want to take control of people’s cars remotely. He went on to say that this was especially worrying, because cars themselves are designed to be insecure to avoid any hiccups in their operation.
QBE was understandably keen to point out the difference between its telematics black box offering and that of Progressive, stating that the one it distributes to customers has no ability to admit access to the vehicle’s internals. On top of that it stores no local data, so there is no reason to believe that a QBE black box could create security holes.
“The device has no ability to issue commands into the Engine Management System or enter the gateway so Insurance Box is not open to those same hacking risks,” the spokesperson stated (via InsuranceBusiness). This helps determine whether telematics box good or bad and about identifying a telematics box hack.