Until there is some kind of law in place that makes companies financially responsible for this kind of blunder, it will proliferate. In the current state of affairs it's simply not economically justified to implement proper security.
I have a feeling it's a subtly different problem: the people they've contracted to build this just don't understand security. They've evidently attempted to secure this, just in completely the wrong manner!
Here's an interesting thought: what with the money there is to be made in security these days programmers that actually know everything there is to know about security will leave applications development.
There is a good chance that the lure of security consultancy $ is resulting in a degradation of the quality of the applications.
Are you saying developers in general are subconsciously making low security products to raise the $ in security jobs globally, because they might some day switch career?
No, they're saying that if the money is in security, developers that know about security will go to security, and whoever remains as a developer will not be good at security.
There's not nearly as much money in security as most security consultants would like you to believe. It's in their best interest for most people to believe there's a huge amount of money waiting for you if you switch to security.
Unless you're someone with specialized experience (crypto), you as a pentester are worth around $100k/yr. That's excellent money, but it's not the massive margin that would drive people away from webdev.
If the company providing the service were financially liable for these blunders, they would be careful to select contractors that are capable of meeting the security needs.
As it is now, there is no financial incentive to select the "security aware" contractor, and the "non-aware" one is so much cheaper...
There are extensive laws in place that protect the personal information of patients and students. If a hospital had this same issue, then it would be fined and depending on the state, it would have to inform all of it's users that it may have leaked personal information. Similarly, educational instituons will not share your educational record with your parents no matter how much they beg unless you're a minor.
It's not a stretch that there should be laws that affect all companies that collect data on their users. I hope it happens soon! These companies should be paying quite a bit in fines for these mistakes, not just a few thousand for a bug bounty. Otherwise our personal information will most likely leak and be all over the web.
> Until there is some kind of law in place that makes companies financially responsible for this kind of blunder, it will proliferate.
It will still be out there. For example, in a startup that's trying to get off the ground, going bankrupt because of security issues isn't that much different than going bankrupt because you failed to gain traction. It will still be put off to "later."
That said, with significant financial penalties there will be a point where the startup assesses the cost of security to be worth it (vs. now where there is no downside other than bad PR).
That's a qualified statement, there is nothing irresponsible about that. Telematics companies bear close watching anyway. Right now it is as far as I'm concerned a content free statement.
It's absolutely irresponsible, even with qualifications, given what we now know about how people use that information. Witch hunts happen even with qualified statements, and down the road people who read qualified statements tend to forget the qualification and give the negativity more weight than it deserves.
Knowing like most industries, the layers of ODMs and OEMs etc, it's hard to pin down who exactly is responsible for a security cockup. And, funnily enough, having an interview there I wasn't inclined to do a recce on their infrastructure. Also, not having a device, I didn't have endpoints or traffic to test.
I went to an interview 3 years ago. The only 'evidence' I have is the UI looks vaguely similar, and my questions about their security posture were met with non-committal answers.
If you knew about the industry, they could have rebranded somebody elses software, bought a previous version, lots of things.
Why would I hold myself to something that may be libelous, without the evidence the OP has?
Because right now you are an anonymous entity on the internet making statements about other un-named entities which may or may not be the same as the one the article is about.
To me that's a content free statement, if you were either not anonymous or you named the company the statement would have some force as it is it is a big fat 0.
So they had this vulnerability live for 3 years, didn't even pay a bounty, and they still don't get named or shamed? What incentive is there to do a better job if they can just do a shitty job and nobody finds out?
Terrible, but they did fix it rather quickly once the flaws were disclosed. Given many other such stories, the almost expected outcome would be to deny the problem, have the discloser prosecuted or sued, and put out a fix six months later that made things worse.
The EU and its member countries are still interested in personal privacy. Do they regulate insurance providers? Could EU, or Italy, exact a penalty against this provider for failing to do the most elementary of penetration tests on this system? Perhaps some of the penalty should be a return of premium payments to customers whose information was potentially exposed.
The point is to make the business-risk managers in other provider companies say to their executives: "We cannot take the risk of skipping cybersecurity hardening. If we do skip it and we get caught, our business will be forced into bankruptcy."
The GDPR is vague but the description details shockingly vulnerable APIs that do not come close to "industry best practices". They would have been made an example of.
it's really sad how young online political activists have adopted privacy issues instead of adopting issues like workers rights, vacation time, pay, a strong welfare state, universal healthcare etc...
Generally they have adopted a lot of those, but privacy is kind of our specialisation as tech people. Often we see it as a necessary prerequisite to the others. Especially worker's rights: mass surveillance is used against worker organisation.
Dismissing people focusing on "X" instead of "Y" is useless and disruptive.
Why would he be capable of only addressing one issue at a time? If I fight against racial discrimination, for example, why does that mean I'm not also battling for workers' rights?
I can't believe that anyone would voluntarily sign up for this. Frankly, insurance isn't that expensive.
Having a little third party controlled snitch hooked to your car is a security issue, period. The fact that the implementation is a shitshow is just icing on the cake.
at £1400 last year my insurance is expensive. Partly due to living in a city and using on street parking but mostly due to my age (<25). My mother, who had the same model, paid £250.
The 15% discount for taking a black box still isn't worth it for me however.
I drive a car with 380bhp, so while the insurance without the black box is about £300 more than the one with it, I'm pretty sure it's not worth getting the box. I pay about £1000/year at the moment.
Being part of a late 30s couple with pretty boring driving history in a small city pays I guess. I pay like $700-850 (depending on how you break out umbrella liability cost) for maxed out coverage in an above average cost US state. I think I paid around $1200 when I was a dumb kid with tickets. :)
Even if there were siginifciant savings, it wouldn't be worth it to me to have that kind of telemetry being gathered. It can only be used against you in a accident situation.
Over here there's no choice in the limit of cover - EU mandates that every car insurance has to cover 5 million Euro in personal damages and 3 million in property damage. The only "optional" thing is whether you want to get comprehensive insurance which covers your own car for the damage caused by yourself - but 3rd party liability is always set to that 5 and 3 million by law.
I guess you could buy some specialist insurance which would cover more but unless you are planning on crashing into multiple Bugatti Veyrons, it's pretty much impossible to hit that limit.
Interesting, that's nowhere near the level of insurance (it's significantly higher) than what even non-cut-rate insurers will recommend for most drivers in the states. After changing providers, we pay $1400 for two cars with $100,000/$300,000 (individual/total) injury and $100,000 in property coverage.
Well, it seems a lot more reasonable than the popular default of trading all your data for free services that either have very cheap alternatives, or would have if there was a market for it.
I've had a driving license for about 10 years and I've never been in a collision, never gotten a ticket, and never filed an insurance claim -- neverthless, my insurance premium was $95 a month (likely due to my age, credit report, not being married) until I switched to a pay-per-mile insurance that requires a "third party controlled snitch" connected to my vehicle's OBD port -- which cut my premium significantly.
> I can't believe that anyone would voluntarily sign up for this.
It saves me money and I don't have much money. Hell, it's why people even bother with insurance companies in the first place -- it's cheaper than depositing $60,000 in a surety bond to the DMV.
No mention of the irony of someone who doesn't use Google Play Services because he only uses open source software being willing to attach a device to his car, running closed source software, that tracks everything he does in his car?
I think I have a similar attitude. I have Google's location tracking on, but search history, YouTube history, etc turned off. I'm much more sensitive to digital privacy because it has complex, wide-ranging implications, whereas my location is a limited set of data that I'm more comfortable sharing with a semi-trusted company.
I wouldn't want to know a company when, how often and which doctors I consult for one. If you don't want to share your search history you may not want to share your location data either. I would see these as equivalent.
> I wouldn't want to know a company when, how often and which doctors I consult for one.
Depends. A lot of doctor's offices are in "medical parks," so it's entirely possible they don't know which doctor you are seeing or why. They have easier access to that information via your calendar (if you use it) than your location.
Also, even if you did go to a doctor's office in the middle of nowhere with nothing else around and only one doctor working there, that doesn't mean you are there to see the doctor.
For that matter, your location data couldn't be proven to be yours on merit alone. Anyone can be using my car, and anyone can have my phone, at any given time.
You're underestimating the google, my friend. This response also misses the point, just because this specific example may not be relevant to you (what about private practice doctors?), there are hundreds of others that are.
Why turn off search history, youtube history, etc? Google likely gathers all of it anyway, so you might as well see what they keep regardless of your settings.
I suppose it's good in case your account gets leaked.
Because he is getting up to a 40% discount in exchange for sharing his location data while he is using his car, he should also run Google Play Services and share his location the whole time too? What?
Exactly. Being concerned about privacy doesn't mean that you don't have a price at which you'll sell specific data of yours.
We need these "personal data for discount" transactions to become more explicitly consensual. Despite the well-tuned sensitivities of those in this community, we have a long way to go before most consumers are informed about this unwitting marketplace.
The trouble I see coming is, right now it's "a discount" for sharing the data. Once these sorts of services become ubiquitous and well tested, it'll be "a surcharge" for not sharing the data. Explicit opt out, versus explicit opt in. Right now, it feels like you're getting value out of sharing your data, but in the future, you may have to pay more (relative to others) to keep your data private.
They're two sides of the same coin. Your situation is already the reality. A 40% discount for selling your information is a 67% surcharge for your privacy.
That's a matter of perspective, and I agree that that's what it will very rapidly become. However, right now, I would say it really is a discount - you get a rate that is lower than what you would otherwise have gotten before the technology was introduced. That's partially a reward for you being part of the early adopter group that will make it ubiquitous enough that they can justify raising the prices back up to the level the market can bear.
What's the point of hiding the identity of the company here? The issue has apparently been fixed and I'd rather know which company had it so that I can avoid them.
Note that with the latest changes to Android, using mitmproxy to analyse the behaviour of apps has become impossible: apps refuse to accept personally-installed certificates.
In the future, we'll see less revelations about this sort of thing, not because it has become rarer but because Google have chosen a course of action which obscures it.
(it also breaks things like personal or corporate CAs, but that's a different problem)
For Android < N, if you install a custom CA, you'll get a permanent "Network may be monitored by an unknown third party" notification that cannot be dismissed and stays across reboots. Android wasn't really "insecure" in that regard beforehand.
Your point is valid, but I think it's a negligible improvement that comes in hand with severe implications for privacy research.
Having worked in the connected car/telematics industry for a while as a contractor, I can very well relate to this and can confirm that the security systems in place inside the car's telematics unit is not good enough. For example, in one of the oauth process of authenticating a car with the cloud, the VIN was passed around as a client secret and MDN of the modem as the username ! We recommended to immediately stop this practice, but the "IT" dept of the automotive maker said, " You know we sell cars, not security software." There is no budget to rewrite the mechanism, and the telematics unit cannot be updated OTA. The upgrade requires customers bringing the car to a dealer and USB stick updates etc.
I believe the frequent bursts of data from the car was given to insurance companies. Or they were trying to package insurance deal along with the car sale or something.
When my insurance company offered a discount to use one of these devices a few years back, I smelled a rat. I figured they would use it to observe how fast I drive vs the speed limit so they can decide how "safe" of a driver I am or whatever. But also my insurance is very inexpensive so discounts on it are not a big motivator.
I guess location tracking would make sense too, so they can bust you if the car stays in a place other than where it's insured for. Or god knows what else. All of this shit is only going to get worse, a lot worse.
68 comments
[ 2.8 ms ] story [ 78.2 ms ] threadThere is a good chance that the lure of security consultancy $ is resulting in a degradation of the quality of the applications.
Unless you're someone with specialized experience (crypto), you as a pentester are worth around $100k/yr. That's excellent money, but it's not the massive margin that would drive people away from webdev.
If the company providing the service were financially liable for these blunders, they would be careful to select contractors that are capable of meeting the security needs.
As it is now, there is no financial incentive to select the "security aware" contractor, and the "non-aware" one is so much cheaper...
It's not a stretch that there should be laws that affect all companies that collect data on their users. I hope it happens soon! These companies should be paying quite a bit in fines for these mistakes, not just a few thousand for a bug bounty. Otherwise our personal information will most likely leak and be all over the web.
It will still be out there. For example, in a startup that's trying to get off the ground, going bankrupt because of security issues isn't that much different than going bankrupt because you failed to gain traction. It will still be put off to "later."
That said, with significant financial penalties there will be a point where the startup assesses the cost of security to be worth it (vs. now where there is no downside other than bad PR).
Knowing like most industries, the layers of ODMs and OEMs etc, it's hard to pin down who exactly is responsible for a security cockup. And, funnily enough, having an interview there I wasn't inclined to do a recce on their infrastructure. Also, not having a device, I didn't have endpoints or traffic to test.
I went to an interview 3 years ago. The only 'evidence' I have is the UI looks vaguely similar, and my questions about their security posture were met with non-committal answers.
If you knew about the industry, they could have rebranded somebody elses software, bought a previous version, lots of things.
Why would I hold myself to something that may be libelous, without the evidence the OP has?
To me that's a content free statement, if you were either not anonymous or you named the company the statement would have some force as it is it is a big fat 0.
Name and shame, please!
The point is to make the business-risk managers in other provider companies say to their executives: "We cannot take the risk of skipping cybersecurity hardening. If we do skip it and we get caught, our business will be forced into bankruptcy."
Dismissing people focusing on "X" instead of "Y" is useless and disruptive.
Having a little third party controlled snitch hooked to your car is a security issue, period. The fact that the implementation is a shitshow is just icing on the cake.
The 15% discount for taking a black box still isn't worth it for me however.
Being part of a late 30s couple with pretty boring driving history in a small city pays I guess. I pay like $700-850 (depending on how you break out umbrella liability cost) for maxed out coverage in an above average cost US state. I think I paid around $1200 when I was a dumb kid with tickets. :)
Even if there were siginifciant savings, it wouldn't be worth it to me to have that kind of telemetry being gathered. It can only be used against you in a accident situation.
I guess you could buy some specialist insurance which would cover more but unless you are planning on crashing into multiple Bugatti Veyrons, it's pretty much impossible to hit that limit.
I'm speaking from guilt.
I've had a driving license for about 10 years and I've never been in a collision, never gotten a ticket, and never filed an insurance claim -- neverthless, my insurance premium was $95 a month (likely due to my age, credit report, not being married) until I switched to a pay-per-mile insurance that requires a "third party controlled snitch" connected to my vehicle's OBD port -- which cut my premium significantly.
> I can't believe that anyone would voluntarily sign up for this.
It saves me money and I don't have much money. Hell, it's why people even bother with insurance companies in the first place -- it's cheaper than depositing $60,000 in a surety bond to the DMV.
Depends. A lot of doctor's offices are in "medical parks," so it's entirely possible they don't know which doctor you are seeing or why. They have easier access to that information via your calendar (if you use it) than your location.
For that matter, your location data couldn't be proven to be yours on merit alone. Anyone can be using my car, and anyone can have my phone, at any given time.
I suppose it's good in case your account gets leaked.
We need these "personal data for discount" transactions to become more explicitly consensual. Despite the well-tuned sensitivities of those in this community, we have a long way to go before most consumers are informed about this unwitting marketplace.
In the future, we'll see less revelations about this sort of thing, not because it has become rarer but because Google have chosen a course of action which obscures it.
(it also breaks things like personal or corporate CAs, but that's a different problem)
Some context: https://github.com/mitmproxy/mitmproxy/issues/2054
Your point is valid, but I think it's a negligible improvement that comes in hand with severe implications for privacy research.
I believe the frequent bursts of data from the car was given to insurance companies. Or they were trying to package insurance deal along with the car sale or something.
I guess location tracking would make sense too, so they can bust you if the car stays in a place other than where it's insured for. Or god knows what else. All of this shit is only going to get worse, a lot worse.