Month: September 2015

Integrate Conference 2015

· Leave a comment ·

This conference has a focus on integration between technologies and is held with API World. A dominant theme was connected cars.

ActiveScaler demonstrated its Connected Car platform and API that delivers five types of information. It had a great session with visits from a number of car companies, partners, vendors advisors, investors and interested public.

The highlight was a visit by Maria Roat, CTO, US Department of Transportation where she and her colleague shared their views on the evolution of transportation technologies with ActiveScaler team.

ActiveScaler demonstrated an app that connects the car to the cloud to provide rich vehicle and driver analytics in real time.

Privacy and Marketing Automation

· Leave a comment ·

Oracle bought Eloqua, and sells marketing automation as a business service.

A quote from What is Eloquoa all about : “At their core, Eloqua, and other MAPs, help you connect an email address you have (or have collected) to activities of an anonymous person (prospect) interacting with you and your brand across online channels. The fundamental value in these tools and platforms is that help you de-anonymize prospects(unknown) into contacts(known) from interactions like clicking on an email you sent them or by submitting a form, which should at the minimum collect email address and name, from your website, chat bot, landing page etc.

A Paper on privacy and marketing by Princeton CS – The web never forgets, persistent tracking methods in the wild.

How web analytics javascript reports back information from the referring url.

Difference between first party and third party cookies.

Flash cookies are shared across different browsers.

A good explanation of SSP and DSP and the mechanism and need for cookie syncing is here. The end-user supplies attention. The agency/brand demands attention.

Purpose of all this amazing tracking is to build personal profiles to personalize and market various offers, cars and credit cards (?).

Top advertisers on google and facebook indicates many top brands are paying top dollar for the ads.

In some ways it is inevitable that a better advertising medium than TV/Radio should appear.

The raw data creates linked data.  Profile data gets built up over years and hoarded  competitively to achieve a higher rate of advertising effectiveness.  Asymmetry of information between user and the ad companies grows over time. Does it have to be so ?

TechCrunch Disrupt Hackathon – Safety for Connected Cars

· Leave a comment ·

The Ford Hackathon at Techcrunch Disrupt (San Francisco, 2015) encouraged use of the Ford SmartDeviceLink (SDL) iOS SDK to talk to their in-car head units. The apps can be submitted to Ford for cars supporting Ford Sync. Toyota was present to lend support to this open source effort. With a joint open source effort  the number of cars targetted by such apps could be higher.

The SDL SDK can be useful for insurance applications for measuring ride and driver quality. Many applications were built at the hackathon around this idea.

My team built an iOS application to synchronize brakes between two cars in real-time to prevent vehicle pileups in low visibility conditions. It alerted the driver that another car is braking ahead of his car, by acting as a virtual brake light that turns on if a connected car ahead is braking. Our goal was distraction-free safe driving, so it used voice commands to alert the driver and automatic brake detection from the SmartDeviceLink SDK, instead of manual alert generation.

A previous SDK supported by Ford was OpenXC, an open API for connected cars. Another popular SDK at the hackathon was Vin.li SDK.

There was discussion of a Waze like app that is built into cars. Talking to people I learnt of the role the Department of Transportation is playing to bring Intelligent Transportation to reality.

DSRC is a communication standard for such use cases – Dedicated Short Range Communications.

Salesforce Dreamforce Conference

· Leave a comment ·

At the Salesforce conference were several interesting IOT demonstrations.

One of them could Docker to be run inside a Raspberry Pi. This can be used for seamless OTA upgrade of IOT software. Another allowed instant analysis of the chemical composition of a drug and the information is connected to an app.

Another interesting demo was Built.io, which is like an IFTTT for different apis and IOT flows – a virtual circuit diagram allows inputs to be cascaded together in a flexible manner to achieve a variety of outcomes.

Salesforce made the announcement of the IOT Cloud which is built on Salesforce Thunder, a massively scalable real-time event-processing engine. Business can create alerts or filters to identity important data from event streams. This can be used to send alerts from manufacturers to customers or customers to manufacturers, for instance for a malfunctioning device or for a car recall.

Marc Benioff – “The Salesforce IOT Cloud will empower businesses to build proactive 1:1 relationships with their customers to deliver a new kind of customer success”.

Here’s a review of this announcement with the opinion that it is currently more of a positioning statement than a real capability – http://www.zdnet.com/article/dreamforce-2015-salesforce-thunder-unavailable-2016/

CAN bus attacks

· Leave a comment ·

A CAN is a Controller Area Network. Electronic Control Units (ECUs) are networked together in a car using a bus based on the CAN standard. A car will have one more CAN buses which are typically accessible via the Onboard Diagnostics (OBD II) port.

The CAN allows a distributed network of micro-controllers and devices to do real time messaging with each other with CAN packets, to exercise real time control. It is used in industrial control systems, vechicles such as airplanes and ships, and automotive systems.

ECU examples are Airbag, HVAC, ABS and Engine Control Unit.

Some CAN related security resources –

  1. Hopping on the CAN bus. https://www.blackhat.com/docs/asia-15/materials/asia-15-Evenchick-Hopping-On-The-Can-Bus.pdf
  2. Charlie Miller, Chris Valasek.  http://illmatics.com/car_hacking.pdf
  3. Craig Smith, opengarages. http://opengarages.org/handbook/
  4. Original Spec by Bosch. http://www.bosch-semiconductors.de/media/pdf_1/canliteratur/can2spec.pdf
  5. http://www.instructables.com/id/Exploring-the-Tesla-Model-S-CAN-Bus/?ALLSTEPS
  6. http://tucrrc.utulsa.edu/DodgeCAN.html

A podcast interview with Chris Valasek: https://securityledger.com/2015/07/podcast-interview-with-car-hacker-chris-valasek-of-ioactive/

Most cars do allow CAN access via OBD. Tesla does not, but the CAN information is still accessible via another port.

It may sound unusual that the OBD port meant for diagnostics should allow sending commands to the CAN bus, but this is in fact possible, in part because there is no source identifier or authentication build into CAN packets.

What if an ECU itself has some kind of problem or degradation ? This can increase vulnerability when combined with open CAN bus access.

For example, there were two independent recalls in early 2015 related to defective airbag deployments. The Jeep recall was due to software that detected rollover aggressively and deployed the airbags. The NHTSA recall was due to Takata airbags with faulty inflators.

As we bravely head to an IOT world where various devices and controllers are networked to external entities, such concerns will increase.

There are attacks on other car interfaces such as bluetooth, telematics unit and remote key. Recently (July) there was an attack on Jeep which caused an update to fix the bug. The Israeli media reported a couple startups, Argus and TowerSec could have prevented this attack.   Update Jan 2016: TowerSec is acquired by Harman – CES 2016 announcement.