Metromile Affected

Notified:  August 10, 2015 Updated: August 19, 2015

Status

Affected

Vendor Statement

In June, Metromile learned that several vulnerabilities were discovered in Mobile Devices (MDI) OBD-II dongles that could be used to compromise the devices remotely.  Metromile worked with MDI to ensure that all common configurations of Metromile Pulse, used by our per-mile insurance customers, received OTA updates as soon as possible.  By July 24th, MDI had released updated versions of its 2.x and 3.4.x firmware which resolved the discovered exploits.  As of today, most devices have successfully downloaded and applied the appropriate firmware update and we expect the remainder of devices to be patched by mid-August.  Most devices that have not yet taken the patch show no signs of network activity and have not contacted update servers since before updated firmware was made available.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mobile Devices Affected

Notified:  August 04, 2015 Updated: August 28, 2015

Status

Affected

Vendor Statement

Since our devices have access to vehicle electronics, security is a very serious topic in our company and we handle it with a high attention. Ensuring security is a never ending effort which is handled in 3 ways : • R&D / anticipating security threats • Company security • Security in production / deployment  Regarding the recent study: generally speaking our devices are sold to integrators, and provided with the maximum flexibility and openness for the development of applications. In the telematics industry our mission for 13 years has been to provide the most advanced tools to 1) allow innovation teams to implement and test their concepts and 2) deploy the solution to mass market. So the tools – typically OBD Dongles and device management tools – have 2 modes • A “development” mode in which it is very easy to implement a program to remotely communicate with the vehicle network and even control a vehicle like the researchers have been doing • A “production” mode for the deployment phases which can be activated at any time and ensures protection, in which the devices local and remote access are closed and secured. About this production mode: devices and device management tools are provided with mechanisms allowing to ensure security but it is usually our customers’ choice to decide when and how to activate them. With the very recent concern of the industry regarding vehicle hacking, we are adopting a different approach to security handling. In addition to providing a set of recommendations that allow to secure the devices, we offer a full security package which includes in standard all the mechanisms activated. In addition we are defining rules for activating automatically this package in deployment phases. The purpose of these rules is that there can’t be any deployment without all the security features activated. If you want to know more about this, we will posting updates on www.munic.io. During summer we have been identifying – together with our customers – all the deployments that were made without activating all the security mechanisms and making sure the security pack gets applied to all vehicles that are concerned. Telematics is posing an interesting and very important challenge to all the automotive industry: how can we ensure top security AND keep turning this whole industry into modern open platforms with evolving services ? This is one of the topics we are deeply involved in at Mobile Devices and we will be communicating on.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.