My car insurance exposed my location

comments from the first time this was posted here <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=14314205" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=14314205</a>

Denouement, in which the author is not rewarded:<p>&gt; <i>The company fixed the leak 3 weeks later by providing new Web services endpoints that use authenticated calls. The company mailed its users saying them to update their App as soon as possible. The old Web services have been shutdown after 1 month and half since my first contact with the CERT Nazionale.</i><p>&gt; <i>I could be wrong, but I suspect the privacy flaw has been around for 3 years because the first Android version of the App uses the same APIs.</i><p>&gt; <i>I got no bounty.</i><p>&gt; <i>The company is a leading provider of telematics solutions.</i><p>I wonder how much that flaw would have fetched from a malicious actor?

Wow. This is gross negligence. Short version: the guy&#x27;s insurance company had him put a GPS-enabled device in his car to measure usage. With no auth and only the car&#x27;s license plate number, you can track the car, find out who owns it, and get a bunch of stats.<p>This is the kind of thing that should result in a fine of millions of dollars. They never even tried to secure this.

I have not seen him mentioning that the web service is apparently invoked over unsecure http. You can still add authentication, but if the service is running over http yu might as well not have any authentication at all.

Pretty certain I read this last year.

Unless there has been some new innovation in this space, the OBD behavior trackers are just accelerometers. The typical placement down in the driver&#x27;s footwell makes GPS too unreliable to bother with. The GPS correlation comes from being foolish enough to install their app.