Insurance Telematics: The OBD Hijack

This summer, the buzz in the security sector has been around cyber carjacking – specifically, around how hackers could leverage your car’s onboard diagnostics system to take control of the vehicle while you’re trying to drive.

For example, this month a Chevrolet Corvette starred in a car-hacking demo at Usenix security conference in Washington, D.C. A two-inch-square device, or dongle, was plugged into the car’s CAN bus. At the conference, researchers from the University of California at San Diego hacked into the dongle and used it to send commands to the internal network that controls the car’s physical driving components by way of SMS messages.

In other words, they texted the Chevy, and it did what they said. They were able to turn on the windshield wipers and even disable the brakes.

When UCSD researchers alerted the company of the security flaws they’d found in the dongles, it responded promptly with a security patch. “However, the concern is that other brands’ dongles still have holes, and that many of these gadgets aren’t getting updates in a timely fashion,” said Jon Fingas, Engadget contributor. “It’s feasible that an intruder could cause chaos by either forcing vulnerable cars off the road or making life miserable for their occupants.”

Case in point: Long before USCD took control of the Chevy at Usenix, hackers Charlie Miller and Chris Valasek had been partnering with Any Greenberg, Wired contributor and volunteer victim, on remote carjacking demos. In 2013, Greenberg “drove a Ford Escape and a Toyota Prius around a parking lot while they sat in the backseat with their laptops, cackling as they disabled his brakes, honked the horn, jerked the seat belt, and commandeered the steering wheel.”

At the time, the hackers had a big limitation: To take control of the vehicle, they had to physically plug their laptop into the vehicle’s CAN bus. Now, with advances in technology, carjacking can be executed remotely.

Last month, for example, the hackers remotely took control of Greenberg’s Jeep Cherokee during a planned carjacking demo, using its entertainment system to mess with his mind before cutting the transmission, and then the brakes, ultimately crashing the car.  “Their hack enables surveillance too,” said Greenberg. “They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.”

Bear in mind, Miller, Valasek and the USCD researchers who hacked the Chevy are the good guys. When they find security holes, they share their research with the manufacturer in question so patches can be released before the information goes public. But there are plenty of others who aren’t good guys. And while timely patches do solve immediate problems, new holes can always be found and exploited.

Is there any way around the risk? Can insurers offer usage based insurance while minimizing the risk of an OBD device hack?

With smartphone telematics, the answer is yes. Smartphone telematics is inherently less risky than OBD-based UBI. Sure, a smartphone app could be hacked, just like any other mobile device. But because the app functions independently – it’s not connected to the car’s CAN bus – it can’t be leveraged to control your customers’ cars remotely.

With so many security incidents in the news these days, it’s reassuring to know there’s a better option available with smartphone telematics. To learn more about the many benefits of using an “unplugged” usage based insurance program, download our free report.