research-article

Public Access

From Physical to Cyber: Escalating Protection for Personalized Auto Insurance

Authors:

Wenke LeeAuthors Info & Claims

SenSys '16: Proceedings of the 14th ACM Conference on Embedded Network Sensor Systems CD-ROM

Pages 42 - 55

https://doi.org/10.1145/2994551.2994573

Published: 14 November 2016 Publication History

Abstract

Nowadays, auto insurance companies set personalized insurance rate based on data gathered directly from their customers' cars. In this paper, we show such a personalized insurance mechanism -- wildly adopted by many auto insurance companies -- is vulnerable to exploit. In particular, we demonstrate that an adversary can leverage off-the-shelf hardware to manipulate the data to the device that collects drivers' habits for insurance rate customization and obtain a fraudulent insurance discount. In response to this type of attack, we also propose a defense mechanism that escalates the protection for insurers' data collection. The main idea of this mechanism is to augment the insurer's data collection device with the ability to gather unforgeable data acquired from the physical world, and then leverage these data to identify manipulated data points. Our defense mechanism leveraged a statistical model built on unmanipulated data and is robust to manipulation methods that are not foreseen previously. We have implemented this defense mechanism as a proof-of-concept prototype and tested its effectiveness in the real world. Our evaluation shows that our defense mechanism exhibits a false positive rate of 0.032 and a false negative rate of 0.013.

Supplementary Material

MOV File (p42.mov)

Download
606.86 MB

References

[1]

Allstate Drivewise Review. https://www.expertinsurancereviews.com/usage-based-insurance/allstate-drivewise/.

[2]

Arduino MEGA 2560. https://www.arduino.cc/en/Main/ArduinoBoardMega2560.

[3]

ECUsim 2000 OBD-II Simulator. https://www.scantool.net/ecusim-2000.html.

[4]

GSM/GPRS Board (Arduino UNO + SIM900 + microSD + xBee). http://freematics.com/store/index.php?route=product/product&path=17&product id=67.

[5]

Intelligent transportation system. http://www.its.dot.gov/.

[6]

Liberty Mutual RightTrack. https://www.libertymutual.com/righttrack.

[7]

OBDII I2C Adapter - Accelerometer and GYRO. http://www.dfrobot.com/index.php?route=product/product&product_id=960#.VrFO-jYrJGx.

[8]

Snapshot Terms & Conditions. https://www.progressive.com/auto/snapshot-terms-conditions/.

[9]

State Farm In-Drive. https://www.statefarm.com/insurance/auto/discounts/drive-safe-save/indrive.

[10]

A remote attack on an aftermarket telematics service, 2014. http://argus-sec.com/blog/remote-attack-aftermarket-telematics-service/.

[11]

Hacker Says Attacks On 'Insecure' Progressive Insurance Dongle In 2 Million US Cars Could Spawn Road Carnage, 2015. http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/.

[12]

Insurance Telematics Market by Deployment Type, End User (Small and Medium Enterprises, and Large Enterprises), and by Region (North America, Europe, Asia-Pacific, Middle East and Africa, and Latin America) - Global Forecast and Analysis to 2020, 2015. http://www.prnewswire.com/news-releases/insurance-telematics-market-worth-221-billion-usd-by-2020-561817961.html.

[13]

C. C. Aggarwal. On abnormality detection in spuriously populated data streams. In Proceedings of the SIAM International Conference on Data Mining, 2005.

[14]

C. C. Aggarwal and et al. Event detection in social streams. In Proceedings of the SIAM International Conference on Data Mining, 2012.

[15]

C. C. Aggarwal and P. S. Yu. Outlier detection for high dimensional data. In Proceedings of the 2001 ACM SIGMOD International Conference on Management of Data, SIGMOD '01, pages 37--46, New York, NY, USA, 2001. ACM.

Digital Library

[16]

C. C. Aggarwal and P. S. Yu. Outlier detection with uncertain data. In Proceedings of the SIAM International Conference on Data Mining, 2008.

[17]

A. Bauer, K. Burns, M. Esposito, D. Huber, and P. O'Malley. Monitoring system for determining and communicating a cost of insurance, jan 2012. http://www.google.com/patents/US8090598.

[18]

S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, and T. Kohno. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the 20th USENIX Conference on Security, SEC'11, pages 6--6, Berkeley, CA, USA, 2011. USENIX Association.

Digital Library

[19]

Z. Chen, J. Yu, Y. Zhu, Y. Chen, and M. Li. D3: Abnormal driving behaviors detection and identification using smartphone sensors. In Proceedings of the 12th IEEE International Conference on Sensing, Communication, and Networking, 2015.

[20]

C. G. Claudel and A. M. Bayen. Guaranteed bounds for traffic flow parameters estimation using mixed lagrangian-eulerian sensing. In Communication, Control, and Computing, 2008 46th Annual Allerton Conference on, pages 636--645. IEEE, 2008.

[21]

A. Cron, C. Gouttefangeas, J. Frelinger, L. Lin, S. K. Singh, C. M. Britten, M. J. P. Welters, S. H. van der Burg, M. West, and C. Chan. Hierarchical modeling for rare event detection and cell subset alignment across flow cytometry samples. PLoS Comput Biol, 9(7):e1003130, 07 2013.

[22]

K. El-Arini. Dirichlet Processes: a Gentle Tutorial. http://www.cs.cmu.edu/~./kbe/dp_tutorial.pdf.

[23]

K. El-Arini. What is an intuitive explanation of Dirichlet process clustering? https://www.quora.com/What-is-an-intuitive-explanation-of-Dirichlet-process-clustering.

[24]

H. Eren, S. Makinist, E. Akin, and A. Yilmaz. Estimating driving behavior by a smartphone. In Intelligent Vehicles Symposium (IV), 2012 IEEE, pages 234--239. IEEE, 2012.

[25]

J. Eriksson, L. Girod, B. Hull, R. Newton, S. Madden, and H. Balakrishnan. The pothole patrol: using a mobile sensor network for road surface monitoring. In Proceedings of the 6th international conference on Mobile systems, applications, and services, pages 29--39. ACM, 2008.

Digital Library

[26]

I. Foster and K. Koscher. Exploring controller area networks. In login. USENIX Association, 2015.

[27]

I. Foster, A. Prudhomme, K. Koscher, and S. Savage. Fast and vulnerable: A story of telematic failures. In 9th USENIX Workshop on Offensive Technologies (WOOT 15), Washington, D.C., Aug. 2015. USENIX Association.

Digital Library

[28]

C. Fraley and A. E. Raftery. How many clusters? which clustering method? answers via model-based cluster analysis. The Computer Journal, 41(8):578--588, 1998.

[29]

A. Francillon, B. Danev, and S. Capkun. Relay attacks on passive keyless entry and start systems in modern cars. In Network and Distributed System Security, 2011.

[30]

J. Gao, F. Liang, W. Fan, C. Wang, Y. Sun, and J. Han. On community outliers and their efficient detection in information networks. In Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '10, pages 813--822, New York, NY, USA, 2010. ACM.

Digital Library

[31]

A. E. Gelfand and A. F. M. Smith. Sampling-based approaches to calculating marginal densities. Journal of the American Statistical Association, 85(410):398--409, 1990.

[32]

S. Geman and D. Geman. Stochastic relaxation, gibbs distributions, and the bayesian restoration of images. IEEE Transactions on Pattern Analysis and Machine Intelligence, 6(6):721--741, 1984.

Digital Library

[33]

M. Gupta, J. Gao, Y. Sun, and J. Han. Integrating community matching and outlier detection for mining evolutionary community outliers. In Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '12, pages 859--867, New York, NY, USA, 2012. ACM.

Digital Library

[34]

J. D. Hamilton. A New Approach to the Economic Analysis of Nonstationary Time Series and the Business Cycle. Econometrica, 57(2):357--84, March 1989.

[35]

O. Kömmerling and M. G. Kuhn. Design principles for tamper-resistant smartcard processors. In USENIX workshop on Smartcard Technology, volume 12, pages 9--20, 1999.

Digital Library

[36]

K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, et al. Experimental security analysis of a modern automobile. In Security and Privacy (S&P), 2010 IEEE Symposium on, pages 447--462. IEEE, 2010.

Digital Library

[37]

L. Lin, C. Chan, S. R. Hadrup, T. M. Froesig, Q. Wang, and M. West. Hierarchical bayesian mixture modelling for antigen-specific t-cell subtyping in combinatorially encoded flow cytometry studies. Statistical applications in genetics and molecular biology, 12(3):309--331, June 2013.

[38]

L. Lin, C. Chan, and M. West. Discriminative variable subsets in bayesian classification with mixture models, with application in flow cytometry studies. Biostatistics, 2015.

[39]

H. Liu, S. Saroiu, A. Wolman, and H. Raj. Software abstractions for trusted sensors. In Proceedings of the 10th international conference on Mobile systems, applications, and services, pages 365--378. ACM, 2012.

Digital Library

[40]

C.-T. Lu, D. Chen, and Y. Kou. Algorithms for spatial outlier detection. In Proceedings of the Third IEEE International Conference on Data Mining, 2003.

Digital Library

[41]

J. Ma and S. Perkins. Online novelty detection on temporal sequences. In Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '03, pages 613--618, New York, NY, USA, 2003. ACM.

Digital Library

[42]

meccanexus. Hacking the progressive snapshot obdii device for perpetual 30discount on insurance. https://www.reddit.com/r/hacking/comments/2bjo0k/hacking_the_progressive_snapshot_obdii_device_for.

[43]

meccanexus. Meet aaadrive. https://chicago.aaa.com/Insurance/AAADrive-Dashboard.aspx.

[44]

C. Miller and C. Valasek. Adventures in automotive networks and control units. In DEF CON 21 Hacking Conference. Las Vegas, NV: DEF CON, 2013.

[45]

P. Mohan, V. N. Padmanabhan, and R. Ramjee. Nericell: Using mobile smartphones for rich monitoring of road and traffic conditions. In Proceedings of the 6th ACM Conference on Embedded Network Sensor Systems, 2008.

Digital Library

[46]

J. Paefgen, F. Kehr, Y. Zhai, and F. Michahelles. Driving behavior analysis with smartphones: Insights from a controlled field study. In Proceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia, 2012.

Digital Library

[47]

S. Ravi, A. Raghunathan, and S. Chakradhar. Tamper resistance mechanisms for secure embedded systems. In VLSI Design, 2004. Proceedings. 17th International Conference on, pages 605--611, 2004.

Digital Library

[48]

I. S. C. Rick L. Andrews. A comparison of segment retention criteria for finite mixture logit models. Journal of Marketing Research, 40(2):235--243, 2003.

[49]

D. Sachs. Google tech talk: Sensor fusion on android devices: A revolution in motion processing, 2010.

[50]

L. Serrano, D. Kim, and R. B. Langley. A single gps receiver as a real-time, accurate velocity and acceleration sensor. In Proceedings of the the 17th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2004), Long Beach, CA, USA, volume 2124, 2004.

[51]

J. Sethuraman. A constructive definition of dirichlet priors. Statistica Sinica, 4:639--650, 1994.

[52]

B. L. Smith, H. Zhang, M. Fontaine, and M. Green. Cellphone probes as an atms tool, 2003.

[53]

R. J. Steele and A. E. Raftery. Performance of bayesian model selection criteria for gaussian mixture models. In Frontiers of Statistical Decision Making and Bayesian Analysis, (chap. 4.1):113--130, 2010.

[54]

Y. W. Teh. Dirichlet process. In Encyclopedia of machine learning, pages 280--287. Springer, 2011.

[55]

A. Thiagarajan, L. Ravindranath, K. LaCurts, S. Madden, H. Balakrishnan, S. Toledo, and J. Eriksson. Vtrack: accurate, energy-aware road traffic delay estimation using mobile phones. In Proceedings of the 7th ACM Conference on Embedded Networked Sensor Systems, pages 85--98. ACM, 2009.

Digital Library

[56]

C. Thuen. Remote control automobiles. In the 3rd Embeded Security in Cars (ESCAR) US, May 27-28 2015.

[57]

R. Verdult, F. D. Garcia, and B. Ege. Dismantling megamos crypto: Wirelessly lockpicking a vehicle immobilizer. In Supplement to the 22nd USENIX Security Symposium (USENIX Security 13), pages 703--718, Washington, D.C., 2015. USENIX Association.

[58]

G. J. R. Wagner A. Kamakura. A probabilistic choice model for market segmentation and elasticity structure. Journal of Marketing Research, 26(4):379--390, 1989.

[59]

O. J. Woodman. An introduction to inertial navigation, 2007.

[60]

J. Yoon, B. Noble, and M. Liu. Surface street traffic estimation. In Proceedings of the 5th International Conference on Mobile Systems, Applications and Services, 2007.

Digital Library

[61]

K. I. W. Zvi Eckstein. Why youths drop out of high school: The impact of preferences, opportunities, and abilities. Econometrica, 67(6):1295--1339, 1999.

Cited By

Makhdoom IAbolhasan MLipman JShariati NFranklin DPiccardi M(2024)Securing Personally Identifiable Information: A Survey of SOTA Techniques, and a Way ForwardIEEE Access10.1109/ACCESS.2024.344701712(116740-116770)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3447017
Makhdoom IAbolhasan MLipman JPiccardi MFranklin D(2024)PrivySeC: A secure and privacy-compliant distributed framework for personal data sharing in IoT ecosystemsBlockchain: Research and Applications10.1016/j.bcra.2024.100220(100220)Online publication date: Jul-2024
https://doi.org/10.1016/j.bcra.2024.100220
Zhao DHou JZhong YHe WFu ZZhou F(2022)Driver Identification Methods in Electric Vehicles, a ReviewWorld Electric Vehicle Journal10.3390/wevj1311020713:11(207)Online publication date: 3-Nov-2022
https://doi.org/10.3390/wevj13110207
Show More Cited By

Recommendations

Modeling and control of Cyber-Physical Systems subject to cyber attacks: A survey of recent advances and challenges
Highlights
- In general, the cyber-attacks in the literature can be classified into three main types: denial of service (DoS) attacks, deception attacks, and replay ...
Abstract
Cyber Physical Systems (CPS) are almost everywhere; they can be accessed and controlled remotely. These features make them more vulnerable to cyber attacks. Since these systems provide critical services, having them under attack would ...
Security analysis for cyber-physical systems against stealthy cyber attacks
CERIAS '13: Proceedings of the 14th Annual Information Security Symposium

Security of Cyber-Physical Systems (CPS) against cyber attacks is an important yet challenging problem. Since most cyber attacks happen in erratic ways, it is difficult to describe them systematically. In this paper, instead of identifying a specific ...
Quantitatively Assessing the Cyber-to-Physical Risk of Industrial Cyber-Physical Systems
GLSVLSI '20: Proceedings of the 2020 on Great Lakes Symposium on VLSI

Industrial cyber-physical systems (ICPSs) are widely used in critical infrastructures. However, they threaten by various cyberattacks which can directly damage the physical processes of ICPSs. Therefore, we proposed a method to quantitatively assess the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SenSys '16: Proceedings of the 14th ACM Conference on Embedded Network Sensor Systems CD-ROM

November 2016

398 pages

ISBN:9781450342636

DOI:10.1145/2994551

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 November 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

SenSys '16

Sponsor:

SenSys '16: The 14th ACM Conference on Embedded Network Sensor Systems

November 14 - 16, 2016

CA, Stanford, USA

Acceptance Rates

Overall Acceptance Rate 174 of 867 submissions, 20%

Upcoming Conference

SenSys '24

Sponsor:
sigbed
sigbed
sigbed
sigbed
sigbed

The 22nd ACM Conference on Embedded Networked Sensor Systems

November 4 - 7, 2024

Hangzhou , China

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
801
Total Downloads

Downloads (Last 12 months)81
Downloads (Last 6 weeks)14

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Makhdoom IAbolhasan MLipman JShariati NFranklin DPiccardi M(2024)Securing Personally Identifiable Information: A Survey of SOTA Techniques, and a Way ForwardIEEE Access10.1109/ACCESS.2024.344701712(116740-116770)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3447017
Makhdoom IAbolhasan MLipman JPiccardi MFranklin D(2024)PrivySeC: A secure and privacy-compliant distributed framework for personal data sharing in IoT ecosystemsBlockchain: Research and Applications10.1016/j.bcra.2024.100220(100220)Online publication date: Jul-2024
https://doi.org/10.1016/j.bcra.2024.100220
Zhao DHou JZhong YHe WFu ZZhou F(2022)Driver Identification Methods in Electric Vehicles, a ReviewWorld Electric Vehicle Journal10.3390/wevj1311020713:11(207)Online publication date: 3-Nov-2022
https://doi.org/10.3390/wevj13110207
Xu WXue WLin QLan GFeng XWei BLuo CLi WZomaya A(2022)PrivGait: An Energy-Harvesting-Based Privacy-Preserving User-Identification System by Gait AnalysisIEEE Internet of Things Journal10.1109/JIOT.2021.30896189:22(22048-22060)Online publication date: 15-Nov-2022
https://doi.org/10.1109/JIOT.2021.3089618
Li JZhao KTang YLuo XMa X(2021)Inaccurate Prediction Is Not Always Bad: Open-World Driver Recognition via Error Analysis2021 IEEE 93rd Vehicular Technology Conference (VTC2021-Spring)10.1109/VTC2021-Spring51267.2021.9448820(1-7)Online publication date: Apr-2021
https://doi.org/10.1109/VTC2021-Spring51267.2021.9448820
Rathi RSharma NManchanda CBhushan BGrover M(2020)Security Challenges & Controls in Cyber Physical System2020 IEEE 9th International Conference on Communication Systems and Network Technologies (CSNT)10.1109/CSNT48778.2020.9115778(242-247)Online publication date: Apr-2020
https://doi.org/10.1109/CSNT48778.2020.9115778
Lin QXu WLiu JKhamis AHu WHassan MSeneviratne AEskicioglu RMottola LPriyantha B(2019)H2BProceedings of the 18th International Conference on Information Processing in Sensor Networks10.1145/3302506.3310406(265-276)Online publication date: 16-Apr-2019
https://dl.acm.org/doi/10.1145/3302506.3310406
Zhou WJia YPeng AZhang YLiu P(2019)The Effect of IoT New Features on Security and Privacy: New Threats, Existing Solutions, and Challenges Yet to Be SolvedIEEE Internet of Things Journal10.1109/JIOT.2018.28477336:2(1606-1616)Online publication date: Apr-2019
https://doi.org/10.1109/JIOT.2018.2847733
Zehlike MHacker PWiedemann E(2019)Matching code and law: achieving algorithmic fairness with optimal transportData Mining and Knowledge Discovery10.1007/s10618-019-00658-8Online publication date: 1-Nov-2019
https://doi.org/10.1007/s10618-019-00658-8
Choi WJoo KJo HPark MLee D(2018)VoltageIDS: Low-Level Communication Characteristics for Automotive Intrusion Detection SystemIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.281214913:8(2114-2129)Online publication date: Aug-2018
https://doi.org/10.1109/TIFS.2018.2812149
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents