Apparently my auto insurance company was not reading my recent blog entry. They introduced a car monitoring device, “In-Drive” that will track my driving habits and provide a discount (or increase) in my insurance rates.
Potential abuses of car monitoring devices
There are a few small problems. The device connects into the diagnostic port of the car, allowing it to take control of the car (brakes, acceleration, etc.) or a hacker to do this (see prior Blog entry). It is connected to the mothership (ET phones home), and that channel can be used both ways, so the hacker that takes over my car can be anywhere in the world. I can think of three scenarios where this is actually feasible.
- Someone wants to kill the driver (very focused, difficult to detect).
- Blackmail – where bad guys decide to crash a couple of cars, or threaten to, and demand payment to avoid mayhem (what would the insurance company CEO say to such a demand?) (Don’t they have insurance for this?)
- Terrorism – while many cyber attacks do not yield the requisite “blood on the front page” impact that terrorists seek, this path can do that — imagine ten thousand cars all accelerating and losing brakes at the same time … it will probably get the desired coverage.
As previously mentioned, proper software engineering (now a licensed profession in the U.S.) could minimize this security risk.
Then there is privacy
A different insurance company, Anthem, encountered a major attack that compromises identity information (at least) for a large number of persons. I’m just a bit skeptical that my auto insurance company has done their analysis of that situation and upgraded their systems to avoid similar breaches and loss of data. For those wondering what types of privacy policies might make sense, I encourage you to view the OECD policy principles and examples. Organizations that actually are concerned with privacy would be covering all of these bases at least in their privacy statements. (Of course they can do this and still have highly objectionable policies, or change their policies without notice.)