Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Security MIA In Car Insurance Dongle
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
mumom10
mumom10,
User Rank: Apprentice
1/26/2015 | 1:27:19 AM
Hack the dongle
This is downright unethical.  There is no way the company didn't know how insecure this device was.  This is a privacy violation to begin with - to expect a customer to allow an insurance provider to track.  It should be illegal.
Broadway0474
Broadway0474,
User Rank: Apprentice
1/21/2015 | 8:57:21 PM
Re: security in devices
@ODA155, I'm going to be up late again tonight! That's a good point about Progressive. What blew my mind is that they are in insurance company and thus in the BUSINESS OF RISK. They should know what the risk of putting this device in their customers' cars. But like you alluded to, the risk goes beyond just dollars and cents should something happen. Their whole brand is based on protecting their customers, being there for them in a fix. This situation serves to undermine their brand, their reputation, at its core. 
ODA155
ODA155,
User Rank: Ninja
1/20/2015 | 10:27:35 PM
Re: security in devices
@Broadway0474,...

Hey Broadway... good to see that I'm not the only one up late working :-)

"...cost-benefit analysis... How much will it cost to fix these issues?... How much could it probably cost if something bad were to happen?... If the former is more than the latter, then move forward. A miscalculation is usually how a massive recall happens. Or a class action lawsuit."

In my opinion, that is the reason why we have so many products with poor coding and or no security at all. How about this, a) do it right the first time, 2) if it's broken, fix it (period). In the case of this particular device in this article, it's an insurancecompany we're talking about! People ARE their business, insuring their cars and other properties... show me that you really do care about me as you claim in all of your commecials or do your CBA and pray that you don't get sued... for something.
Broadway0474
Broadway0474,
User Rank: Apprentice
1/20/2015 | 10:16:28 PM
Re: security in devices
Sure, someone is doing the cost-benefit analysis on all these things. How much will it cost to fix these issues? How much could it probably cost if something bad were to happen? If the former is more than the latter, then move forward. A miscalculation is usually how a massive recall happens. Or a class action lawsuit.
ODA155
ODA155,
User Rank: Ninja
1/20/2015 | 12:51:09 PM
Re: security in devices
This is a little off topic, but please correct me if I'm wrong, but IoT (Internet of Things) is not a real architectural goal or plan, it's just the way the Internet already is and business wants to take advantage of that. If you have a device that connects to the Internet then you're a part of IoT whether want to be or not, like being in a swimming pool with everyone else who's in the pool. But an IoT (Intranet of Things) would be something that a single or multiple organizations who agree to a plan or an architecture could control.

However I see your point but until organizations, government and even private citizens with all of these connecting "things" that make up the IoT decide to get their collective and personal security acts and priorities together, this is where we'll be. Just think, Mr. Thuen tested his theory on a 2013 Toyota Tundra truck, and that is NOT the most sophisticated or computerised vehicle on the road. There was an article in Forbes back in August 2013 (Hackers Reveal Nasty New Car Attacks--With Me Behind The Wheel (Video) about hacking a Ford Escape... A man used his Toyota Prius as a generator during Hurricane Sandy... Car and Driver did an article in August 2011 about the concerns that the Center for Automotive Embedded Systems Security (CAESS) had about the proliferation of computers in cars. Heck, I just heard a piece on NPR a week or so back about how Ford is ramping up for the next few years to add more technology that will allow the car to do more and the driver to do less... cars can park themselves... Google and Audi both have driverless cars for god sake!

So, at least to me, there is NOBODY that should be surprised that in the rush to get all of this technology into our cars, short-cuts will be taken and security and QA will be ignored.
Somedude8
Somedude8,
User Rank: Apprentice
1/20/2015 | 12:41:32 PM
Re: security in devices
I would bet that on the team that built that thing, there was at least one programmer trying to tell the Powers That Be in their shop that there was a glaring security hole. I have seen this too many times.

"Hey, this isn't secure."

"What would it cost to make it secure?"

"X number of man hours."

"Lets circle back to this later in the development cycle, we have a bit of pressure right now to meet our numbers."
rjones2818
rjones2818,
User Rank: Strategist
1/20/2015 | 11:05:15 AM
Re: security in devices
The hackabilty of IOT devices should make everybody question if IOT should be the path to be followed.
rcrutchlowl6m
rcrutchlowl6m,
User Rank: Apprentice
1/20/2015 | 9:51:12 AM
Re: security in devices
The risk of these auto monitoring devices being hacked and causing potentially deadly mahem is rising quickly. I have no doubt that Flo (Progressive Insurance) is now scrambling to determine both the device vulnerability and more importantly (to Flo) their liability if the device is shown to be responsible not just for data theft but also for damage or even (God forbid) loss of life. This vulnerability is not restricted just to these devices but the whole "Internet of Things" and legislators and standards organizations appear to be taking a far too casual interest in the potential consequences ... waiting for issues to shake themselves out and passively watching public beta testing rather than be proactive.


It would certainly make sense if, for once, standards (e.g. data encryption, key system isolation, etc.) and enforceable regulation could get out in front of the inevitable threats and provide both a framework and guidance to mitigate the potential chaos. Blackhats are lurking out there.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/20/2015 | 8:54:16 AM
Re: security in devices
Unlikely that anyone at Progressive was fired (or will be), given the fact that (at least according to what Progressive told Forbes) the insurance company hasn't been "officially" informed of the research behind the  vulnerability. Just another issue in the growing list of connected "things" in the Internet of Everything.Yikes...
Broadway0474
Broadway0474,
User Rank: Apprentice
1/19/2015 | 10:59:08 PM
Re: security in devices
This amazes me that an insurance company could be so oblivious --- perhaps even indifferent --- to risk. I know cyber liability is an emerging risk and the not same as figuring out the chances somebody is going to get into a car accident in the next year, but at the same time, how designed these devices for them? Has someone been fired at Progressive because of this?
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-30333
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
CVE-2022-23066
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
CVE-2022-28463
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
CVE-2022-28470
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
CVE-2022-1620
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.