Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Security MIA In Car Insurance Dongle
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
mumom10
50%
50%
mumom10,
User Rank: Apprentice
1/26/2015 | 1:27:19 AM
Hack the dongle
This is downright unethical.  There is no way the company didn't know how insecure this device was.  This is a privacy violation to begin with - to expect a customer to allow an insurance provider to track.  It should be illegal.
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
1/21/2015 | 8:57:21 PM
Re: security in devices
@ODA155, I'm going to be up late again tonight! That's a good point about Progressive. What blew my mind is that they are in insurance company and thus in the BUSINESS OF RISK. They should know what the risk of putting this device in their customers' cars. But like you alluded to, the risk goes beyond just dollars and cents should something happen. Their whole brand is based on protecting their customers, being there for them in a fix. This situation serves to undermine their brand, their reputation, at its core. 
ODA155
50%
50%
ODA155,
User Rank: Ninja
1/20/2015 | 10:27:35 PM
Re: security in devices
@Broadway0474,...

Hey Broadway... good to see that I'm not the only one up late working :-)

"...cost-benefit analysis... How much will it cost to fix these issues?... How much could it probably cost if something bad were to happen?... If the former is more than the latter, then move forward. A miscalculation is usually how a massive recall happens. Or a class action lawsuit."

In my opinion, that is the reason why we have so many products with poor coding and or no security at all. How about this, a) do it right the first time, 2) if it's broken, fix it (period). In the case of this particular device in this article, it's an insurancecompany we're talking about! People ARE their business, insuring their cars and other properties... show me that you really do care about me as you claim in all of your commecials or do your CBA and pray that you don't get sued... for something.
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
1/20/2015 | 10:16:28 PM
Re: security in devices
Sure, someone is doing the cost-benefit analysis on all these things. How much will it cost to fix these issues? How much could it probably cost if something bad were to happen? If the former is more than the latter, then move forward. A miscalculation is usually how a massive recall happens. Or a class action lawsuit.
ODA155
50%
50%
ODA155,
User Rank: Ninja
1/20/2015 | 12:51:09 PM
Re: security in devices
This is a little off topic, but please correct me if I'm wrong, but IoT (Internet of Things) is not a real architectural goal or plan, it's just the way the Internet already is and business wants to take advantage of that. If you have a device that connects to the Internet then you're a part of IoT whether want to be or not, like being in a swimming pool with everyone else who's in the pool. But an IoT (Intranet of Things) would be something that a single or multiple organizations who agree to a plan or an architecture could control.

However I see your point but until organizations, government and even private citizens with all of these connecting "things" that make up the IoT decide to get their collective and personal security acts and priorities together, this is where we'll be. Just think, Mr. Thuen tested his theory on a 2013 Toyota Tundra truck, and that is NOT the most sophisticated or computerised vehicle on the road. There was an article in Forbes back in August 2013 (Hackers Reveal Nasty New Car Attacks--With Me Behind The Wheel (Video) about hacking a Ford Escape... A man used his Toyota Prius as a generator during Hurricane Sandy... Car and Driver did an article in August 2011 about the concerns that the Center for Automotive Embedded Systems Security (CAESS) had about the proliferation of computers in cars. Heck, I just heard a piece on NPR a week or so back about how Ford is ramping up for the next few years to add more technology that will allow the car to do more and the driver to do less... cars can park themselves... Google and Audi both have driverless cars for god sake!

So, at least to me, there is NOBODY that should be surprised that in the rush to get all of this technology into our cars, short-cuts will be taken and security and QA will be ignored.
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
1/20/2015 | 12:41:32 PM
Re: security in devices
I would bet that on the team that built that thing, there was at least one programmer trying to tell the Powers That Be in their shop that there was a glaring security hole. I have seen this too many times.

"Hey, this isn't secure."

"What would it cost to make it secure?"

"X number of man hours."

"Lets circle back to this later in the development cycle, we have a bit of pressure right now to meet our numbers."
rjones2818
0%
100%
rjones2818,
User Rank: Strategist
1/20/2015 | 11:05:15 AM
Re: security in devices
The hackabilty of IOT devices should make everybody question if IOT should be the path to be followed.
rcrutchlowl6m
100%
0%
rcrutchlowl6m,
User Rank: Apprentice
1/20/2015 | 9:51:12 AM
Re: security in devices
The risk of these auto monitoring devices being hacked and causing potentially deadly mahem is rising quickly. I have no doubt that Flo (Progressive Insurance) is now scrambling to determine both the device vulnerability and more importantly (to Flo) their liability if the device is shown to be responsible not just for data theft but also for damage or even (God forbid) loss of life. This vulnerability is not restricted just to these devices but the whole "Internet of Things" and legislators and standards organizations appear to be taking a far too casual interest in the potential consequences ... waiting for issues to shake themselves out and passively watching public beta testing rather than be proactive.


It would certainly make sense if, for once, standards (e.g. data encryption, key system isolation, etc.) and enforceable regulation could get out in front of the inevitable threats and provide both a framework and guidance to mitigate the potential chaos. Blackhats are lurking out there.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/20/2015 | 8:54:16 AM
Re: security in devices
Unlikely that anyone at Progressive was fired (or will be), given the fact that (at least according to what Progressive told Forbes) the insurance company hasn't been "officially" informed of the research behind the  vulnerability. Just another issue in the growing list of connected "things" in the Internet of Everything.Yikes...
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
1/19/2015 | 10:59:08 PM
Re: security in devices
This amazes me that an insurance company could be so oblivious --- perhaps even indifferent --- to risk. I know cyber liability is an emerging risk and the not same as figuring out the chances somebody is going to get into a car accident in the next year, but at the same time, how designed these devices for them? Has someone been fired at Progressive because of this?
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41163
PUBLISHED: 2021-10-20
Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discour...
CVE-2021-42299
PUBLISHED: 2021-10-20
Microsoft Surface Pro 3 Security Feature Bypass Vulnerability
CVE-2021-42771
PUBLISHED: 2021-10-20
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
CVE-2021-42764
PUBLISHED: 2021-10-20
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (delayed consensus decisions), and also increase the profits of individual validators, via short-range reorganizations of the underlying consensus chain.
CVE-2021-42765
PUBLISHED: 2021-10-20
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to leverage network delay to cause a denial of service (indefinite stalling of consensus decisions).