One of the most common concerns with telematics, is that big brother idea, that companies are looking over your shoulder at every moment of the day. While not strictly true, it’s a valid concern people have and will need to address if they ever consider adding telematics to their vehicle(s) or those of their business. However, something they shouldn’t have to consider is how secure their tracking hardware is, which is exactly what people almost had to do with Zubie.
Zubie was a small tracking and navigational tool that worked like a standard telematics device. It worked by connecting up to the vehicle’s diagnostics port, tracking information like speed, location, acceleration, braking and the status of all the little components in the connected vehicle’s engine. That information was then sent wirelessly to the cloud, where Zubie could analyse it and output readable and actionable data to the user’s smartphone, letting them improve their driving or at the very least, let them know they’re doing a good job.
However, what security research firm Argus Cyber Security discovered, was that Zubei was in-fact sending and receiving information entirely unencrypted. That means that when it received updates, they could have come from anywhere as neither did they need to have a digital signature. This could potentially have allowed hackers to send malicious code straight to the brain of user’s cars.
This isn’t all hypothetical either. Argus Cyber Security was able to perform the hack using its own spoofed server. This gave the team the ability to download a trojan horse to the vehicle itself, which essentially allowed it to take control of it entirely. They were able to unlock the doors and even mess with readouts on the internal dashboard, something that could cause real dangers for someone driving, or at the very least, make it very easy for the vehicle to be stolen.
The real worry is when someone takes this a step further and figures out how to influence important safety features like brakes, airbags and pedal control.
On top of all this, the hack allowed Argus to keep track of the vehicle’s location at all times, violating drivers’ privacy and thereby making them more capable of becoming a victim of other forms of crime.
While Argus doesn’t want to reveal which car it was able to hack – there’s no need to give nefarious hackers any more ammunition with this sort of thing – it did suggest that all automakers look to shore up their digital defences. Sending information unencrypted is incredibly dangerous, so if they or indeed you (reader), are thinking of taking on telematics, make sure you know all your data is secure first.
“As car connectivity is on the rise, there is a real need to bridge the gap between its tremendous inherent benefits and its potential hazards”, reads the Argus bloog post. “This is why we believe the industry should adopt a proactive approach towards cyber security.”
For Zubie’s part in this, it has now fixed the flaw. According to its PR department.