Recently, the media has been on discussion on making the country roads to be controlled by private company and Finnish cars envisaged the so-called mandatory. black box. On this discussion it has been several times mentioned that the Finnish Government has planned a mandatory monitoring devices for all cars to collect “road tax” based on how much cars are used. Some parties have seen that the black box can be a viable option for collecting motoring taxes in the future in a new way. For example, if applied for Employment and the Economy Ministry of the so-called. energy support electric cars , tracking device in the car was a mandatory period of three years. Several Finnish companies have been willing to sell such devices for this purpose. New ways of road-use preparations began for the Ministry of Transport already during the previous government. Mileage-based road user fee based on satellite positioning idea was proposed in statement Jorma Ollila Working Group.
The Finnish Transport Safety Agency Trafi has already tested the Semel sold devices on more than thousand cars as one implementation of the kilometer-based monitoring. Trafi has tested the cars installed “black box”, which tells the authorities where the car is driven, in 2900 cars. It can send data on position and speed. Trafi and telecom operator that have been doing the test have been satisfied with the results of tests. For example, if applied for Employment and the Economy Ministry of the so-called. energy support electric cars , tracking device in the car was a mandatory period of three years.
The GPS tracking device sold buy Semel is quick to set up: attaching it to your car’s dashboard with double-sided tape takes only takes a few minutes and then plug to OBD if needed. The device costs a few dozen euros to a couple of hundred euros, depending on the features.
What about security – whether the system is protected in such a way that it can not be tampered with?
- None of the device is not one hundred percent sure, but there are ways to protect that information. The device sends only one address information.
The question has been on protection of privacy and data protection of motorists. It turned out that due to a security issue garish cars containing these black boxes could be followed in real time via the Internet.
Tivi told last week that the follow-up of cars in Finland within the meaning of “black box” found an error, as a result of the location information was viewed by anyone on the internet. The security was practically none: It turned out that by knowing the 6 digit serial number, the cars could be followed in real-time on the company (Semel) web site. When on the website chose the black box and type the 6-digit identifier, the page began to head to the coordinates of a car display. These coordinates will be able to strike eg. Google Maps and see where the cars are going (Sunday 08/01/2017). This issue (was active on-line for week or two) that been fixed now, at least in the way that the same trick does not work anymore. The exact locations of Sonera Mobile test run was kind of service users has been the Internet visible to anyone for several days or even weeks. “It was specifically Finnish mistake”, says Semel CEO Börje Nummelin.
But the story does not end here, because the tracking system had also other problems. I was on weekend at Disobey hacker event where people hacked that GPS tracking device. I saw what was inside Semel GPS tracker “black box”:
This closeup shows the GPS antenna in the center, QUETEL GPS receiving module (has serial data output) on the left and Antennova cellular antenna on the right.
On the other side you see Cinterion cellular module (serial and USB inerfaces), main processor (there are some pins on the case that carry JTAG signals), USB connector and car interfacing connector (that has for example CAN bus implemented in it).
Here is component list.
The hacker Event Disobey participants found the device to an even worse weekend vulnerability. The investigation showed that the device may be physical possession, the technology is easily manipulated harmful purposes. The vulnerability could be used to steal personal data motorist and car control equipment management.
“We found a serious vulnerability in the device,” said the main organizer of the event Benjamin Särkkä. The box was manufactured by WirelessLinks and sold by Finnish company Semel. If some person gets physical access to the device (USB interface for example), it is possible to change what the device does I was told. The vulnerability allows you to change device settings, so that an outsider can follow your movements in real time the data transmitted by the GPS device allows. So this was just another embedded IoT box with bad security built-in. Tracking and payment systems selling Semel Oy’s President and CEO Börje Nummelin is not a hacker with the absolutely agree with the company’s “black box” data protection observations have been made. Semel has openly cooperate with the hacker community and Semel announced the corrective measures after consulting the found vulnerability.
What happened after those findings came at the annoying moment for politicians? Just few days after the event, coalition transport infrastructure maintenance overhauls we are in favor, although there also criticized motorists digital GPS-monitoring. It would break the fundamental rights. Movement control is knocked out completely. Therefore, ministers Berner and Sipilä now assert that the GPS tracking does not come.