Three Approaches to IoT Security: Part Three

This article, the third in our three-part series, looks at how one connected-car accessory maker approaches data security, and at how carmakers can take the lead of tech companies by learning from the hacker community.
By Mary Catherine O'Connor
Aug 18, 2015

(Read Part One.) (Read Part Two.)

A late-year model Jeep Cherokee. A 2013 Corvette. A Tesla Model S. In recent weeks, all three of these automobiles have been the focus of well-publicized hacks by data security experts who are working to expose the vulnerability of Internet-connected cars. The three hacks were very different.

In the case of the Tesla, the researchers had to purchase a Model S and reverse engineer its electronics in order to override its control systems, sending a kill command, which shut off the motor. But that was only after being stymied a number of times by Tesla's computer system and finding, as CNET's Antuan Goodwin wrote, that "although the Model S isn't unhackable, its information systems are remarkably well designed and secured, rendering their hacking methods largely impractical for for [sic] anyone who doesn't already have constant physical access to the car."

Researchers from the University of California Santa Barbara seemed to have an easier time taking control of the Corvette. To hack into that car's control systems, they took advantage of a vulnerability in a device that the researchers plugged into the car’s onboard diagnostics (OBD) port. The type of OBD devices used by the hackers contains a cellular modem used to transmit GPS coordinates, as well as speed, to the commissioning company—generally a fleet management firm or a usage-based insurance provider. San Francisco-based insurance company Metromile had issued the OBD dongle used for the Corvette hack, and according to Wired, the researchers shared their findings with Metromile before making them public, by which time Metromile had transmitted an over-the-air patch to correct the vulnerability they had exploited.

The Automatic OBD device
That type of exploit is one that Automatic—a San Francisco company that sells an OBD-based system for tracking driver behavior as part of an application intended to help drivers conserve fuel through changing their driving habits—designs its product to avoid.

"When I started Automatic over four years ago, my cofounders and I were excited to make driving better and safer for every car on the road. As we started developing the software, we looked at every available OBD adapter on the market," Automatic co-founder and CEO Thejo Kote wrote in a blog post last week. "Our hardware engineers took them apart to learn their secrets, and we quickly discovered that they revealed their secrets far too easily. We saw glaring security holes that we couldn’t fix ourselves, so we made the hard choice to build our own hardware."

In building its own OBD device, Automatic made a few key security design decisions, says Rob Ferguson, the company's VP of engineering. "We use a unique encryption key per device," he told IOT Journal. "This is a major differentiator for us."

Rob Ferguson
When manufacturing each Automatic OBD dongle, a unique 128-bit AES symmetric encryption key is generated and used to encrypt data encoded to that device. Automatic stores the keys to on its servers, unconnected to the Internet.

Secondly, Automatic’s dongles will respond to only a select list of commands they receive. This approach is designed to prevent a third party from sending a command that would present a security threat, such as overtaking the car's braking or steering system. Plus, to make any changes to the firmware running on the Automatic devices, one needs a master key (a password).

By and large, Ferguson says, insurance companies have commissioned off-the-shelf OBD devices and have not deployed robust security tools to ensure their security, thereby providing a means for hackers to use the devices as an entrance point into the host car's control systems.

"Automatic is a very good example of a company in the automotive after-market that designed its product with security in mind right from the start," says Steve Hoffenberg, director of IoT and embedded technology at VDC Research. But he adds an important caveat: "If Automatic's device is found to have a major security hole, the car owner can just unplug it. But if a car's built-in electronics are found to have a major security hole, users usually can't do anything about it other than wait for the carmaker to issue a recall or update."

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations