I don’t generally like to blend my professional life with my extra-curricular activities, but after watching a recent commercial from TrueCar while on a recent business trip, my cyber (spidey) senses were left tingling… Let me put some context around my concerns, I’m a nearly 20 year veteran of the IT industry, with a specialization in Cyber Security (and an obvious passion for Automobiles). Since my mind was hyper focused this week on cyber matters, I viewed this seemingly benign and “convenient” feature from TrueCar (below) with completely different eyes than I normally would.
WOAH! – WAIT?, WHAT?!? – As you saw from the video: Simply put in your license plate number, get details on your vehicles build and a quote in seconds. Some high-level questions that immediately came to mind: How does this really work? Are there any gates to stop some random person from using your license plate to look up information? How much PII (Personally Identifiable Information) is being exposed here? If PII isn’t exposed, what other information could I leverage or obtain from this app to get more detailed information about YOU? How many back-end systems are tied together here? How far does the rabbit hole go?, asked Alice. – I’ll also admit, I’m rather sensitive to vehicle ownership privacy, since I have had a vehicle stolen which was never recovered.
Following the simple steps laid out by TrueCar‘s website, I quickly downloaded their app onto a compatible device. I started working through the process… using my neighbors license plate number, Ha! – to prove a point – a Chevy Avalanche that spends more time parked than running. All of these screen shots (below) were taken in sequence, so follow along:
If you’re not getting worried yet, you should be.
Through that entire process (which took a total of 30 seconds); I was able to:
1. Capture a random License Plate number
2. Was never asked to login or create an account
3. Authenticate/Verify myself in any way: as a human, bot or the vehicle owner
4. Verify the Yr/Mk/Model of the Vehicle
5. Acquire its VIN (Vehicle Identification Number) and an estimated value.
So what else can I do with this information?
Asking the mighty Google about: VIN NUMBER LOOKUP yields a variety of web-based tools – the leader in the space being CARFAX. And for those unfamiliar with CARFAX – if you take a vehicle’s VIN and run it through the system it generates a report about the vehicle and here’s what you get:
I was actually relieved that I was gated by CARFAX – because they wanted to make some money off of the information they are capturing from Insurance Companies, Police Reports and the Dealership Records Network; depending on my level of *interest* I could spend the $40 to see if this vehicle was properly maintained or has been in a major accident. Attempting to keep our ROI (Return On Investment) high and save time, I’m sure there’s another “Free Service” on the first page of our Google results that will give me more details, right?
But of course…
By way of VehicleHistory.com, I learned that the Avalanche has a clean title; and as of a few years ago, has relatively low-mileage for its age; with all major recalls completed. So far we’ve learned that the VIN data is vehicle-centric with little to no PII being exposed – which is good. If I was a car thief, I probably have everything I need to know about this vehicle to make a decision… but let’s say I’m a cyber criminal. Thanks to an online law dictionary by way of asking Google about: LICENSE PLATE LOOKUPS, I got a quick tutorial on how to leverage the public record system to gather even more information surrounding the Avalanche. This allowed me to dig even further:
Unlike VIN searches – which are designed to offer a potential buyer a look into the “medical history” of the vehicle – these “license plate lookup services” seem to drive their user towards a more critical data payload. Both of the websites above claim to offer “Name of Vehicle Owner” but more importantly “Registration Details” – which could potentially translate to a “Physical Address.” and for a couple of bucks, we can have that – but dropping down another rung a website like Findbyplate.com actually made my possibilities even wider and my stomach churn.
Ok, Take a breath…
Please know that my intent was not to overly rattle all of my friends – I was really apprehensive (and anxious) to begin my research for this article – seeing an opportunity to take a moment to bridge two of my worlds and spread some Cyber Awareness. For peace of mind, I’m going to keep the rest of my findings “rated-PG” and not build out a complete compromise formula for someone to follow. But by now I’m sure you can see where this was going: with enough data points, public records, time and available“free services” you should infer that someone could begin to create a dossier about YOU by starting with something as simple as your license plate number.
Many people will agree that moving public services to general availability is a good idea and does create mass convenience, but it also opens up new attack and data collection vectors. My hope is that you take away a better understanding of why Cyber Security is important and why data protection is crucial. There are so many seemingly innocuous data fragments out in the wild… Data that we take for granted each day as we move more-and-more services “to the cloud.” – We need to consider how disparate systems could be linked together through common data points creating a “pivot lookup” effect. Which means, as Cyber Professionals, we must remain vigilant about how we protect these tools and services and remember that at the end of the day there is a direct correlation to protecting individuals, families and their privacy.
In the meantime, I’ll leave you with some fundamental Cyber Security Best Practices you can employ today:
- Use Strong Passwords, and don’t reuse them
- Use Two-Factor Authentication whenever possible (or offered)
- Never send sensitive data through unsecured email
- Keep your operating system & software up to date
- Back up your data
- Change the default passwords on your smart devices
and some vehicle specific tips…
- Never sync/pair your smart device to a rental car
- Always delete your “user profile” on your cars multi-function / entertainment systems before you sell them.
- Be considerate on the road, you never know who is capturing your actions in photo/video
- Drive a manual, its an anti-theft-device 😉 #savethemanual
- and consider getting rid of those Vanity Plates!
#merrymotoring #neverstoplearning
