A Lesson in the Importance of IoT Threat Analysis and Security Testing
Whether you’re a consumer or a business owner, cybersecurity in general and GPS tracker security specifically are becoming more and more important every day. It’s a big concern. In fact, in a national survey conducted earlier this year, 70% of consumers said they were concerned about their personal data being disclosed to the wrong people. At the same time, most existing and soon-to-be new vehicle owners are worried about car theft — justifiably so, due to an upward trend of stolen cars and trucks over the past year (an increase of 9.2 percent from the year prior, according to the FBI).
Car dealers are turning these two concerns into business opportunities by providing solutions that enable quick recovery of stolen vehicles for consumers, while at the same time managing their lots more efficiently with greater visibility of their inventory as well as generating incremental revenue for the dealership through sales of these devices. But not all theft recovery solutions offer the same level of protection in regards to consumer data and privacy.
Do All GPS Trackers Protect Consumer Privacy?
When we investigated GPS-based tracking solutions commonly used in the U.S. automotive industry and their security features, we found that some of them are carefully designed to protect the devices and their data from hacking, while others have very little or no protection at all. Why does this matter? With a poorly protected tracker, thieves could easily find a car’s location, allowing them to discover where the owner lives, where they work, and even where their kids go to school. And car dealers selling insecure solutions run the risk of incurring their customers’ wrath.
In an effort to gain insights into some of the common security measures that a GPS tracking solution might have (or be sorely lacking), we decided to look at two different tracking solutions in-depth: one was a traditional wired-in solution, and the other a next-generation, battery-powered, wireless solution.
The Bad News: Solution A, the Hardwired GPS
Solution A is usually installed by a dealership technician who connects it to the vehicle’s battery. When we examined this solution, we discovered some shocking findings. We were easily able to determine the phone number that the device used to communicate with the cellular network. We could from there get it to provide us with its exact location simply by sending it a text message containing command phrases we found published on the internet, which were interpreted as instructions. This on its own represents a violation of consumer privacy and opens people up to dangers like stalking, theft, and other crimes. If the system were designed with security in mind, we shouldn’t have been able to get that information.
We also discovered that with further manipulation, it is possible to get the tracker to send out a false location. One could even disable the tracker altogether by remotely tampering with its software.
That means that the owner of the vehicle and police officers would have no way to track the car when stolen. Or even worse, thieves could send authorities searching in the wrong direction.
For consumers using poorly secured devices, the problems associated with these threats are obvious. If you’re a car dealer selling these devices to your customers, you risk bad PR, decreased revenue, loss of trust, and perhaps even liability issues if a solution you sold is compromised.
All of these issues could have been prevented by working with an impartial third-party expert to assess the security of the device and the end-to-end solution in order to identify problems before the product was released, protecting the long-term revenue and reputation of the manufacturer and its product.
But thankfully there’s also good news!
The Good News: Solution B, the Wireless Tracking Device
Our testing of Solution B – a next-generation wireless tracking device – found NONE of the same weaknesses. It successfully protected location information from hackers, only enabling the actual owner of the device to access their car’s position using advanced data encryption. This device also had strong protections such as user authentication in place to ensure no one could remotely disable or tamper with the device using over-the-air downloads and commands; this ensured it was always available to report the vehicle’s correct location. For consumers, this means their privacy and safety are protected. It also improves the chances they’ll be able to get their car back more quickly if it’s stolen. For car dealers, it means satisfied customers and no liability issues from compromised devices.
How to Choose Which Product to Buy or Sell?
Whether it’s a GPS device or any other IoT device, there are three key questions anyone should ask about any IoT device before they choose to purchase or sell it:
- Privacy: Is the device designed with data privacy in mind? Is location data protected with encryption technology?
- Protection: What has been done to protect the device from hackers so it can’t be tampered with or disabled? Are new firmware downloads signed and authenticated Are remote commands to the device authenticated?
- Independent verification: Is the company that designed the device using internal or external security experts to test the end-to-end security of the solution?
Need Help to Ensure Your Solution is Secure?
Not every company has the skills in-house to achieve the level of IoT security they require (or even identify which threats are most relevant for them to protect against). In that case, the smart thing to do is get help from an outside company specializing in security, which can help with activities like threat assessment, security architecture design, and security assessment of your final product before it goes to market. Fixing a security flaw after launch can cost up to 80 times more than catching the same flaw while still in the design phase, and that can mean the difference between success or failure for the product and even the company.