Is the Automatic adapter safe from being hacked?

  • 2
  • Question
  • Updated 3 years ago
  • Answered
Archived and Closed

This conversation is no longer open for comments or replies and is no longer visible to community members.

Photo of Automatic FAQ

Automatic FAQ, Official Rep

  • 16,328 Points 10k badge 2x thumb

Posted 3 years ago

  • 2
Photo of Automatic FAQ

Automatic FAQ, Official Rep

  • 16,328 Points 10k badge 2x thumb
Bottom line: Yes. 

From our CEO:

"We have top flight engineers who think about security every day. Our devices use multiple, redundant security protocols that are similar to what banks use. We invite outside security experts to audit our security procedures. We pay hackers who are able to demonstrate flaws in our systems. For Automatic, security is a journey, not a destination. We follow strict internal rules to make sure we always design with our customers’ security in mind, but recognizing that we’re not perfect, we ask experts to check our work. And then we ask others to check the experts’ work. The job is never done, we only get better at it.

We thank you for your trust in Automatic. Drive safely."

Below are a few details of our security procedures for the technically minded. This is not a complete list, since many of our procedures are understandably secret.
  • We generate per-device 128-bit AES symmetric encryption keys during manufacturing. These are stored on Automatic’s servers, and enable secure setup and firmware updates.
  • The servers on our manufacturing line and the servers at Automatic that store our security keys are not connected to the open internet, but rather communicate with each other over a direct and secure HTTPS connection.
  • The adapter’s firmware has a whitelist of messages that can be sent to the car, so arbitrary (or malicious) messages can’t be sent to the car’s communications bus.
  • The adapter limits the rate at which messages can be sent to the communications bus.
  • Since a unique PIN etched into the device is required to operate the device, you must have access to both the Automatic adapter and the interior of the car in order to connect to the adapter. To this day, most off the shelf OBD-II adapters allow anyone with a smartphone in the vicinity of a car to pair to the device and send commands.
  • We enable Bluetooth’s security mechanisms, but we don’t rely on them. In addition, we use a device-specific encryption key to create a unique 128-bit AES session. This prevents both sniffing and communication between the device and unknown smartphones (or other clients.)
  • All of our server communications take place over HTTPS.
  • Authenticity of our firmware updates is protected with a RSA 1024 signature and 128 bit encryption.
For more please see our blog post on OBD hardware safety

This conversation is no longer open for comments or replies.