A number of motor insurance companies in the UK are now using “black box” technology to track driving behaviour to calculate premiums – but a US-based security expert has now claimed that these boxes can be hacked.
Corey Thuen managed to reverse engineer the software used in a device used by one of the major US insurers, which is used by approximately two million drivers. In doing so he discovered that there is minimal firmware on the device, and that there was no form of encryption, authentication or signing of updates… meaning that they are vulnerable to attack.
Thuen himself managed to get into the black box’s CAN bus, which connects the system to the car to talk to it. He has claimed that an attacker who knows what they are doing could easily get the same sort of access, which could have a number of consequences. These consequences could be anything from a loss of privacy with data being stolen, to more serious consequences as, in theory, hackers could also access the braking and steering systems of the car.
The expert’s simulated attack was done by connecting a laptop directly to the insurance black box, but thanks to the built-in modem that the device has, he has stated that it would definitely be possible for people to attack remotely – and also to access the data and potentially the device controls by attacking the insurance company’s servers.
Concern over these black boxes, or telematics devices, comes on the back of the fact that hacking is still rife in laptops and PCs. Now, hackers are also managing to compromise smartphones as we become increasingly connected, and Thuen fears that our cars will be next. However, if a hacker were to attack a car via its black box, it may not be just personal data that is at risk. With cars featuring a number of different elements that are connected to the brakes via a sensor – elements such as adaptive cruise control and self-parking – he believes that it is time for car manufacturers and insurers to stop and think about how they can ensure the security of their products.