Disclaimer. The disclaimer from the 1^st in the series completely applies to this and all further additions to the series of articles.

Hardware Attack-Dongle

Third parties are reviewing their options as to different manners to market their services to vehicle owners. One of the more prolific examples of this lately has been the dongle which plugs into the OBD-II port. A number of insurers have been marketing these as a way to lower the vehicle owner’s vehicle insurance.

A recent example of this, which has not been openly exploited yet, is the Verizon Hum. This piece of equipment “…turns almost any car into a smarter, safer, more connected car…” per Verizon. This service allows for vehicle diagnostics, roadside assistance, speed and location alerts, driving history, stolen vehicle location, and noting where the owner parked the vehicle.

The equipment from Verizon consists of the dongle which plugs into the OBD-II port, a Bluetooth speaker that clips to the vehicle’s visor (used with roadside assistance and emergency help), and the app on the owner’s smart phone.

As part of the service, there are contractual obligations in the Terms & Conditions (T&C) agreement. Notably,

• In the privacy section, the client is allowing the Hum system to collect data regarding the vehicle’s use and performance,
  • This information may be shared.
  • They may combine this information with others to gain insight on the HUM users.
• Your Responsibility
  • The client will notify Verizon immediately of any breach of security or unauthorized use.
  • The client will not reverse engineer, disassemble, remove, alter, circumvent, or otherwise tamper with any security technology,
• Ownership/Confidentiality
  • The client will not publish, broadcast, retransmit, or otherwise reproduce the information…Any violation…is an infringement of copyright or proprietary rights…”

After reading this, there were several questions that were unanswered, including:

• How is the data collected?
• How is the data collected from the Hum in the OBD-II port to the Bluetooth or to the Verizon servers or to third party vendors (e.g. car breaking down)?
• Who is the data shared with?
• How is the account password stored?

Verizon was asked regarding the Hum device via a post on the Verizon Support website community on May 1, 2016, another post on the Verizon Wireless Facebook page on May 1, 2016, and the Verizon Facebook page on May 3, 2016. As of May 8, 2016 there was no response. Finally, Verizon was called on May 9, 2016. “Ken” was spoken with re: the security protocol. His response to the broad question regarding the security protocol was “I don’t know”, however he did state the method “Don’t transmit in clear text I believe”.  This provided little comfort as it relates to security and potentially provides for an additional endpoint to analyze and attack.

A vendor with more of a security focus is Allstate. The insurance agency has the Allstate Drivewise Mobile App. Allstate was also exceptionally prompt in responding to questions, which was greatly appreciated. With their service, the clients are in good hands. Their app does the work with a mobile app and not third party equipment being plugged into the vehicle’s ports. This works with collecting GPS data through the phone. The security is managed through the smart phone and app on the smart phone.

Learn more ways to protect your business at The National Cybersecurity Institute.

Source

Verizon. Hum: The technology designed to make your car smarter, safer, and more connected. Retrieved from http://www.verizonwireless.com/landingpages/hum/

 

Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.

 

Consider these facts…women make up over 50% of the current workforce, and outnumber males in attaining college degrees. However, only about 26% of STEM positions are held by women, and even worse, only about 11-13% of the workforce in cybersecurity are women.  There are numerous documented reasons for the paucity of females in STEM/IT/Cyber, and there are many suggestions as to how this imbalance can be dealt with.

One of the suggestions is to highlight women that have been successful and use them as role models for those making their way through our learning institutions to emulate.  What follows is a list of female corporate executives that have made it to the top of the ladder, many in the tech industries. Granted, the list isn’t as long as it should be, but it does demonstrate to the up and coming that with perseverance, anything is possible.

Mary Barra	General Motors
Meg Whitman	Hewlett-Packard
Virginia Rometty	IBM
Indra K. Nooyi	PepsiCo, Inc.
Marillyn Hewson	Lockheed Martin
Safra A. Catz	Oracle
Irene B. Rosenfeld	Mondelēz International
Phebe Novakovic	General Dynamics
Carol Meyrowitz	The TJX Companies, Inc.
Lynn Good	Duke Energy
Ursula M. Burns	Xerox Corporation
Deanna M. Mulligan	Guardian Life Insurance Company of America
Barbara Rentler	Ross Stores
Debra L. Reed	Sempra Energy
Kimberly Lubel	CST Brands
Sheri S. McCoy	Avon Products Inc.
Susan M. Cameron	Reynolds American
Denise M. Morrison	Campbell Soup
Kathleen Mazzarella	Graybar Electric
Ilene Gordon	Ingredion
Lisa Su	Advanced Micro Devices
Jacqueline C. Hinman	CH2M Hill

Learn more about Women and Minorities in Cybersecurity at the National Cybersecurity Institute.

List retrieved from the Internet at https://en.wikipedia.org/wiki/List_of_women_CEOs_of_Fortune_500_companies