Tag Archives: Telematics

Land Rover Telematics Not Secure – Gee, I Am Surprised

While I have written about this in general before, this item is specific to the Land Rover and its “Discovery” model.  If this is a surprise to you, it should not be.

If you buy a used Land Rover, it is possible (likely) that the previous owner can still control your car through the Land Rover app or web site.

In *THEORY*, if you trade your Land Rover to an *AUTHORIZED* dealer, they are supposed to reset the telematics module to disconnect the previous owner.  That does not always happen.

In addition, in the case of a private sale or a sale through a used car dealer, that probably never happens.

When the writer of the article liked below tried to link his newly acquired used Land Rover to the app, it said it was still connected to the previous owner.

That previous owner could unlock the care, adjust the climate and using the nav system see where he had gone and where he currently was.

Land Rover’s call center is apparently not trained to deal with it because they told him to find the previous owner.  Sure!  Right!

After the Register contacted Land Rover’s press office, sensing a PR disaster, they said that they could have handled it better.

They did say that he could take the car to the dealer and the dealer would reset it.  Probably for a not-so-nominal fee, but they did not address that.

So, as a buyer of a used car, what do you need to do?

First of all, hopefully, if the car is a new car from the dealer, this should not be a problem.  This is only a problem with used cars.

If you buy a used car from a dealer, at the time of sale you should ask the dealer to confirm that they have reset the telematics.  To be safe, you can get the dealer to help you download the app and connect the car to the app.  That way if the dealer is lying, you can call him on it right then, right there.

If it is a private party sale, you can ask the seller if he released the car from the app, but again, the best way to do it is to download the app while the previous owner is still within arms length and you can strangle him (figuratively, please).

One other note.

With laws like the EU’s General Data Protection Regulation and California’s Consumer Privacy Act, it is likely completely illegal for the car’s manufacturer to continue to collect data after the car is sold on the used car market.  After all, even if the first buyer granted the manufacturer permission to collect data, the second buyer almost certainly did not and both laws have very explicit requirements for how the disclosure and opt in/opt language has to read.  I think the courts will side with the used car buyer saying that the manufacturer did not provide “clear and conspicuous notice”. Expect a nice, juicy class action soon.

Information for this post came from The Register.

Allstate: We’re Going To Sell Your Data

I don’t think that Allstate is a whole lot different than other insurance companies;  maybe they are just being more open about it.

Allstate has announced a new company called Arity, who’s job it is to sell your data.  Insurance companies have a lot of data and creating more every day.  One part of the auto insurance business is something called usage based insurance or UBI.  With UBI, the insurance company gives you a little gizmo that plugs into your car.  It detects every time you get in your car and will tell the insurance company how long you drove, how fast you drove, whether you hit the brakes hard, etc.  So they know that at 7:30 every morning you leave for work, your house is here, you take this road to get to work and your work is there.  In addition, they know how fast you drive, whether you switch lanes a lot, etc.

The first reason they collect that data is so that they can price a policy to your driving.  If they ask you, you will say that you drive like granny did on her way to church on Sunday, when in fact, granny drives funny cars at Bandimere (for those of you not in Denver, Bandimere is a local drag strip) on Saturday nights.

Since the insurance business is so competitive, Allstate figured out that they could make a little extra coin by selling your data.  They will even sell it to their competitors.

What they have not said is exactly what data they are selling, whether it is anonymous or not, etc.  Probably they never will say.  After all, they want the greatest possible flexibility in selling your data to maximize revenue.

In addition to selling your data to other insurance companies, other businesses might be interested.  Telecommunications companies, banks and retailers are just a couple of examples of those potential customers.

The challenge is that every insurance company has this data too.  If they all have it and all sell it, who is going to buy it?  That could lead to a price war.

Stay tuned for more fun.


Information for this post came from Insurance Networking News

Car Makers Want To Protect Your Information


Car makers are limiting the data they are sharing with Apple and Google though car entertainment systems (what the car makers call infotainment).

This is not because they value your privacy, but rather because they want to be able to sell your data themselves and if they no longer own it because they gave it to Apple or Google, they won’t be able to do that.

The car makers are hoping to make a billion dollars from selling your data some day in the future, so they want to keep their options open.

Some car makers have said that they will not give information like steering, braking and throttle, even though they capture that data.  If Google, for example, were to create an app that uses that data, the car makers don’t make any money.  Google, from their viewpoint, wants as much data as possible.

GM has told its investors that GM expects to make $350 million over the next three years from the data connections they are building into cars.

AlixPartners, a consultancy, expects the global revenues from digitally connect cars to be $40 billion a year by 2018.

The downside of this from the user’s standpoint is that each car will be different and there will not be any way to exchange information from car to car (say you are a two car family with cars from different manufacturers).

GM, for example, says that they are not feeding any information to Apple or Google.   VW says that Google and Apple want more information than they are willing to give.

Everyone wants to control your eyes, mind and heart – and, of course, your wallet – whether that is an analog or digital wallet.  At this point, there is no clear winner and likely won’t be for years.  What we do know is that everyone is going to be selling a piece of you.

Information for this post came from Reuters.

Want To Hack Into A Car? Got $60?

Yup, that is all it takes.

Eric Evenchick will present at Blackhat Asia a $60, open source, car hacking tool (see article).  You have to provide your own USB and OBD2 cables.  With Eric’s CANCard and his library of Python based scripts, you can hack around in your car (or maybe someone else’s) and see what kind of havoc you can wreak.

Before you panic, your car is not likely to be hacked because the car companies have one thing going for them.  Diversity.

Unlike your Windows computer or iPhone, there is a huge amount of variability between cars – between cars from different companies, between cars of the same company but different models and between cars of the same model but different years,

That means that any hack you make might only work on a 2014 Ford Taurus – and not on a 2013 Taurus or 2014 Ford Escape and certainly not on a 2010 Chrysler 300.  Or it might.  It’s a crapshoot.

That also probably explains why it takes so long to get a new car from design to production – the designers insist on reinventing the wheel with every car.  Ever notice how many auto light bulbs or wipe blades there are in an auto parts store.

Still, for $60 plus a couple of cables you too can mess with someone’s car.  That has to increase the likelihood of people messing around.  And when they mess around they will find stuff.

Depending on the car companies attitude when the hackers tell them about their problems, it could enhance reliability and security.

On the other hand, it may be hard for auto makers to patch your window control without having you bring the car into the dealership, which is expensive.  BMW very proudly patched a security hole in their telematics system (that is sort of a fancy term for a cell phone built into your car and all the stuff that is connected to  – like GM OnStar or Ford Sync) without having owners bring their cars in.  High end cars are more likely to have telematics – but it is still an option in most cases.

And, if car companies can call your car and patch your window control, can hackers do it also?

Or maybe the hackers will decide to publicly disclose the security hole to embarrass the car companies into action.

Or maybe, they will report what they find to the National Transportation Safety Board.

These last two options probably will keep car executives up at night.

A bit scary.


Hacking Your Car – It Is Not So Hard

Probably many of you saw the 60 Minutes segment on hacking your car (see video here).  In the 60 Minutes segment, the researcher/hacker was able to turn on the wipers and washers, blow the horn and disable the brakes in that demonstration.  Here is a link to a conversation with the guys who did the 60 Minutes hack (See link.  This is a podcast and the part that you may be interested in starts right at 1:00:00 into the video and lasts about 45 minutes)

The NY Times reported about a team of researchers from the University of Washington and the University of California at San Diego who took over the basic functions of a car, including control of the engine, remotely.  They delivered their report to the National Academy of Sciences last week.

These particular attacks compromised the telematics systems of these cars – basically a glorified old cell phone system – and took over the cars.

BMW just patched a particular bug a few weeks ago (see post).  They were very proud that they patched this vulnerability in only 9 months and sent the patch over this cell phone connection so you didn’t have to take the car to the dealer to fix it.  Is it likely that a hacker could do the same thing – you decide?

Today cars have as many as 50 computers in them, most all of which are connected to a “Car Area Network”.  Effectively, very similar to the LAN in your office, this CAN Bus (technically CAN stands for controller area network) was designed by Bosch in 1983 and published as a standard in 1986 (see reference).  The current version, 2.0, was released in 1991.  That would make the standard almost 25 years old.  Think about the cell phone you had 25 years ago.  Would you want to use that today?

The CAN Bus has no security at all and is very slow (think of accessing the Internet today over a dialup modem from 25 years ago).  That is what your car is doing.

In June 2013, Michael Hastings, a reporter in L.A. who wrote some pretty controversial articles was killed in a single car accident.  The car exploded in flames and crashed into a tree (it is unclear which order that occurred in) and the accident happened with such force that it threw the engine 50 yards from the car (see article).

Could someone who was unhappy with Michael’s reporting have hacked the car?  In the old days you would just attach a bomb to the car.  That leaves evidence.  Assuming that really happened in this case, there would be no evidence.  Those 50 computers in his Mercedes don’t generate log files like your PC can (but probably does not).  Way too much overhead.

Richard Clarke, who worked in the State Department under President Reagan, headed up counterterrorism efforts under Presidents Bush 1, Bush 2 and Clinton and was a special advisor to President George W. Bush on cyberterrorism, said (see quote):

I’m not a conspiracy guy. In fact, I’ve spent most of my life knocking down conspiracy theories,” said Clarke, who ran afoul of the second Bush administration when he criticized the decision to invade Iraq after 9/11. “But my rule has always been you don’t knock down a conspiracy theory until you can prove it [wrong]. And in the case of Michael Hastings, what evidence is available publicly is consistent with a car cyber attack. And the problem with that is you can’t prove it.”  

Just to be clear, Clarke is NOT saying that Hastings’ car was hacked, just that it was possible.  Given what we saw on 60 Minutes, that would be hard to argue with.

Also, if that occurred, it would be very unlikely that there was any evidence left behind to prove or disprove the fact.  The circuit boards likely burned up in the ensuing fire.

Could a nation state execute an attack like this – absolutely.  No question.  Richard Clarke said that it was very unlikely that the L.A. police department had the expertise to figure out if the car was hacked – assuming they had any inclination to do so.

I wrote about Senator Markey’s questioning of auto manufacturers on the subject of security (see post) a few weeks ago and only one manufacturer out of 20 responded with anything that remotely dealt with the issue.

What needs to happen is a redesign of the CAN Bus – Bosch has done some work in that area (like CAN FD 1.0) and it can coexist with the old protocols, but adding security would break everything that is already deployed.

That redesign probably won’t happen until a catastrophe occurs.

If you car does not have telematics (like GM’s On Star, Toyota’s Safety Connect, Ford’s Sync, Mercedes MBrace or other systems), then the hacker would have to have physical access to your car.  That could be as simple as getting you to play an infected DVD – not very complicated – but the hack shown on 60 Minutes would not have worked.

Finally, there is a privacy concern.  For example, these hackers could turn on the in car microphone and eavesdrop on you – the NSA might be very interested in doing that to terrorists.

I don’t know if the 60 Minutes piece is enough to get the car makers in gear (to avoid the threat of Congress “helping” them), but let’s hope so.



Your Car’s Cyber Security Stinks

Yes, that is basically the summary of a Network World Article on the subject.

In a high end car there are hundreds of computers and millions of lines of software.  Gone are the days when you car was a big hunk of machined metal.

Now your car is a super computer network on wheels.

The patch that BMW released a couple of weeks ago and the hacking demo of the Tesla that opened the car’s doors while it was driving down the highway (see CNN article) are but two very public demonstrations of the vulnerabilities in today’s cars.

While some car owners have claimed that their cars have done very strange things while they were driving them, for the most case, the government and automakers have not been able to recreate them.  That doesn’t mean that the issues aren’t real.

Sen. Edward Markey (D-Mass) commissioned a study, the conclusion of which is that there is a

“clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.”

Some of the trends in Markey’s study include:

  • Nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
  • Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
  • Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers.
  • These manufacturers collect an incredible amount of information about you and your driving practices over wireless networks, usually with no security and always with no rules regarding what they collect, how they use and and if they inform the consumer about their practices.
  • Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most said they rely on technologies that cannot be used for this purpose at all.

The last bullet is the most concerning.  Only two out of twenty manufacturers were able to detect and respond to hacks in real time (of the 20, 4 did not even respond to the Senator’s request for information).  If your computer is hacked and it takes Microsoft 6 months to come up with a patch, you may have your bank account drained or your data erased, but if your car is hacked, you may crash into a tree at 60 miles an hour and be killed.

While no one is suggesting that this is happening today, the use of software in cars is growing geometrically and no one is really doing very much about the security.  Some of the demonstrations have used a laptop connected physically to the car (which a hacker could do with advance planning).  One even used an infected CD in the CD player.

What is clear is that, as Tom Cruise said many years ago in a different context, this is a target rich environment.

The automobile industry is beginning to work on voluntary activities regarding both safety and privacy, but none of those activities are mandatory.  If you read Sen. Markey’s study, you will see that for many of the questions asked, the manufacturers either refused to answer or gave vague platitudes.  Other questions were answered with answers that had little to do with the question asked.

Given that right now the hackers have their hands full stealing our credit cards, healthcare records and other personal information, it may take a few years before they figure out how to monetize hacking your car, but fear not – they will.  Just like hackers nuked Sony into the stone age or, on a small scale, cryptolocker encrypts your personal computer in exchange for ransom, what if hackers nuked your car.  You have it towed to the dealer and they say they have no idea.  For the most part, dealers do not have the technology to reprogram most of your car’s computers in the field, which means that they would want to replace those computers, costing you hundreds to thousands of dollars.  Even if it is under warranty, would the manufacturer cover that cost or say that this is not a manufacturing defect.  For sure, the lawyers would get rich.