Thursday, March 9, 2017

Automobile Insurance and The Hidden Price of RightTrack(ing you)

Nowadays, insurance companies are using several strategies to charge for premiums in more oppressive ways because they think they're losing money in the process. One of those methods is "usage based insurance" which consists in pushing customers to try their "discount" plan of plugging a device called RightTrack into their OBD-II port of their car monitoring the behavior of your driving, thus giving you discount based on how you drive and now by your age, gender or credit history. They promise the sun and moon and they paint the scenario that you're missing out if you don't try it. Upon receiving the device, customers should keep it plugged in to monitor their "safe" (unsafe) driving and after 90 days, they should return the device by pre-paid mail and receive a discount up to 30%.

But believe it or not, Usage Based Insurance (UBI) is not a new animal but instead it has about 10 years old. It started with Progressive Insurance Co with the help of GMAC (General Motors Assurance Co.) and they used GPS combined with cellular technology to track not only where you went, how much you drove and how fast. With time, they became the leaders who pushed other companies to do the same thus calling these services (PAYD) Pay-As-You-Drive, (PHYD) Pay-How-You-Drive and PAYG (Pay-As-You-Go).

Benefits

I had a discussion with my insurance company and even though they told me that the plan was "optional" it was better for me to opt-in since it could save me as low as 5% of my insurance bill if I was considered a terrible driver. So if the benefit is too great to believe, what's the catch? She also told me that the device "doesn't track you", however I should not be concerned about privacy and that "everyone's using it" so I should try it as well.  Now, my question is: if it's that great, why not making it mandatory? For now, this is optional but it's a catchy one because if you chose not to, you're not getting discount. 

Another benefit of using UBI devices is that it will single you out if you're one of those exempt teenagers who really drive safely. It also obtains a more precise reading versus having to rely on previous history of accidents. But always remember they give you up to a 30% discount, perhaps not a whole lot to save.
  

What they DON'T Tell You

As we all know, insurance companies don't offer this "discount" because they're nice to you or because you have been driving safe, but because they want to rise their premiums by tracking and reporting every sensor such as the breaking system, accelerometer, odometer, whether it's dark outside or not, how sharp your turns are as well as how hard you hit that break pedal and how often (even when someone cuts you off). The part they don't tell you is that even though this product/service is "free" (as of free beer), it's not free from Big Data companies to gather as much information (metadata) about you and how you drive (driving habits). This can and will be used not only to predict when you'll have a car crash but also whether to insure you further or not and how much they can charge you in a matter of time. This also helps your insurance company to estimate and charge you over time more expensive premiums if you drive longer distances (faster speed) vs short distances (slower speed). So for example, if you drive to visit your parents every weekend and they're far from you, they will find that pattern over time and rise your premiums because nobody drives slow in long distances. 

Let's consider the "no tracking" statement is true for my insurance company because it's totally irrelevant to how they can charge me, they still can track the metadata. Let's consider it as metadata on your phone call as an example; which is the duration of the call (drive), speed, time and how often by applying mathematical formulas to determine how much to charge you overtime. Even though my insurance company claimed they do not track their customers, this does not apply to all companies. Let's consider some of these devices have telemetry via GPS and/or mobile signal locators. How safe would you be if someone does not use a good ethical procedure and checks what you do just because the possibility is there or for sadistic fun? Now, let's pretend we live in a perfect world and nobody spies on nobody or because nobody cares whether you go or whether you visit your family or cheating on your spouse, this doesn't mean insurance companies, will use metadata information to hurt you when they present you with your irrefutable driving habits.

What to Do

For now, this program is optional even though they are now trying to bundle it with theft recovery and road assistance plans. It will be up to the people if they demand it or not whether they will make it mandatory. It is up to you to outweigh the risks of having your actions judged by a computer screen in which you can't escape or doing it the old-school way and pay a few dollars more each month for exchange of good privacy.


Sources:

Usage Based Insurance and Telematics:
http://www.naic.org/cipr_topics/topic_usage_based_insurance.htm

Lower Your Car Insurance Bill, at the Price of Some Privacy:  
https://www.nytimes.com/2014/08/16/your-money/auto-insurance/tracking-gadgets-could-lower-your-car-insurance-at-the-price-of-some-privacy.html?_r=0

Wednesday, March 1, 2017

Mobile Pentesting with Android - Part 1 - Set-Up

Nowadays it seems people like to do "everything" on their daily lives over their phone, avoiding the use of laptops and even less desktops.  For this reason, cyber crime is shifting to a new paradigm and that is, going after mobile users infecting them with malware, stealing their credentials and even listening to their phone calls with fake apps which gives you a little more than what it promises.

Aside the whole discussion of "how can I be safer with my phone", I thought it would be better skipping that rhetoric boring subject and delve more into "how to spot if my app is actually secure" by conducting common sense and various assessments to it.  First I will go into the basics in how to determine if your app is as secure as it says and then set up an emulator so you can test them before installing them into your phone. We will change the connection settings so the connection routes to a local proxy so we can see if it transmits securely into our device.

You can also conduct other assessments but it's up to you if you decide to to break the law or not. I suggest you not to, so as a proof of concept I will use a purposely vulnerable Android app called DIVA (Damn Insecure and Vulnerable App). Ultimately, it's your duty to be responsible with the apps you use, how much and what type of information you share over the Intenret and TO INVESTIGATE AND TEST them in order to determine if it's a good trade-off for you to install and use them.

To start, I will show you how to determine what kind of information you give out before installing an application. You can also check this on an already installed application you already have on your mobile.  

In the following screenshot you can see Facebook's permissions and how to access them. 



Under "permission details" it specifies which kind of sensor activates on the phone on behalf of the installed app.  So after we see what we give out, we face the dilemma of having certain privacy traded off with the pleasure of using the app.

Now, I will show how to set up a phone emulator so you can install the application you want and test it however you please. You can also use the proxy connection steps on your own (physical) phone after you connect to your home wi-fi but I won't recommend so, since I wouldn't mix my personal phone for testing applications.

There are plenty of emulators on-line to test from but the one I highly recommend because it's easy to set-up and use, is Genymotion for Personal Use which will also help you to install the Android image you want. You can also install .apk files on the fly by using drag-drop which makes it extremely easy.

After installing it, in order for Genymotion to work, we also have to install Virtual Box.
 

Once Genymotion and Virtual Box are installed, you need to fire up Genymotion and set up the Proxy in order to use it with Burp Suite and test for vulnerabilities. But first, let's go over Genymotion's settings:

Going from back to front, leave the Misc tab as default as it is only for selecting the folder you want for screen captures. You can also opt out from Genymotion to collect usage statistics.

In the ADB tab, if you haven't installed any SDK tools package (you don't have to), use the default option. If you did so, select the folder where your SDK tools reside in.

For the "Virtual Box" tab, ensure the path is the correct one for the Virtual Devices (it's already set-up by default).

Also leave the "Network" tab blank as we set up the proxy later. For the "Account" tab, there is nothing to change/review.

For the Virtual Box Configuration, you only need to review and change (if applicable) the Network settings.

The adapter 1 should be "host only" to connect from Virtual Box to Genymotion:

The adapter 2, we should select NAT in order to use our local IP address to use with Burp Suite:




Ensure "Enable Network Adapter" in both Adapter 1 and 2 are checked. This is a common problem I have overlooked more than once.

Now, we fire up the image on Genymotion and wait until our Android image starts. You can check VirtualBox on a side to verify everything went fine. You can see the image loaded. Mine's a custom one so it might look different if you chose another Android image but it shouldn't matter.



 Finally, we set-up our proxy so we can connect to our application through Burp Suite.

The easiest way to do this is to go to Settings -> Select WiFi Network -> Hold Click on WiredSSID (network's name) and select on "modify network".


By clicking on "Show advanced options" and select "Manual" on Proxy, we input the same IP of our local machine and type port 8082 or whatever unused port of your like.


Leave the "Bypass proxy for" and "IP settings" as is and click on "Save".

Now, fire up Burp Suite and create a new blank project (temporary project). Select the defaults and wait until it completely loads.

Going to the Proxy -> Options tabs, deselect the default one (127.0.0.1:8080) and create a new proxy listener with port 8082 (or whatever port you entered on your Android wifi proxy settings) and select "all interfaces":

Click OK and Yes when it asks if you want to listen to all interfaces.

Now, in Burp Suite, go to "Intercept" (under Proxy tab) and test the connection by going on Genymotion's web browser. If it doesn't automatically go to google.com go ahead and type google.com and press enter. Burp Suite should now intercept the packet before the page loads.



And this concludes the set-up process. On the next topic, I will guide you into installing .apk and use DIVA so you can start learning/practicing your pentesting skills with no constraints or legal troubles. 

Have a good week and stay safe!