This Week in Security: Car Insurance Privacy Fails, Password Leaks, WannaCry

Big Brother’s Car Insurance Discount

Car insurance companies have had tracking-based discounts for years now. They usually use a small device that connects to a car’s OBD-II port to collect speed, location, and other telemetry to send back to the insurance provider over a cellular modem. In exchange for your data, you get a discount on your insurance premiums. But is that information kept securely and privately? Since we’re writing about this, you can probably guess the answer.

Italian FOSS enthusiast and software developer Andrea Scarpino wasn’t happy with his insurance provider’s closed source software, so he began reversing it to reimplement his own, and discovered something amazing. Due to lack of authentication on the API, an attacker could retrieve the last 20 recorded GPS locations of a customer using only their car license number. But that was just the tip of the iceberg. With a bit more exploring, Andrea discovered that an attacker could get a customer’s full name, recorded location history, and real-time location too, just by entering their license number. Andrea reported these vulnerabilities to the company, which fixed the issues, but received no bounty.

This reminds us that personal information is becoming more valuable by the day, and companies are looking for new clever ways to get as much as they can. While a sizeable discount on insurance might be worth it to some, it’s important to remember that this personal information can be very sensitive. Even if customers are fine with their insurance provider tracking their location, they also have to be confident that their data won’t leak from a breach or misconfigured server. The only way to keep this information private is to not share it, so think carefully before plugging a homing beacon into your car.

Even More Password Leaks!

At this point (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog