Bottom line: Yes.
Below are a few details of our security procedures for the technically minded. This is not a complete list, since many of our procedures are understandably secret.
- We generate per-device 128-bit AES symmetric encryption keys during manufacturing. These are stored on Automatic’s servers, and enable secure setup and firmware updates.
- The servers on our manufacturing line and the servers at Automatic that store our security keys are not connected to the open internet, but rather communicate with each other over a direct and secure HTTPS connection.
- The adapter’s firmware has a whitelist of messages that can be sent to the car, so arbitrary (or malicious) messages can’t be sent to the car’s communications bus.
- The adapter limits the rate at which messages can be sent to the communications bus.
- Since a unique PIN etched into the device is required to operate the device, you must have access to both the Automatic adapter and the interior of the car in order to connect to the adapter. To this day, most off the shelf OBD-II adapters allow anyone with a smartphone in the vicinity of a car to pair to the device and send commands.
- We enable Bluetooth’s security mechanisms, but we don’t rely on them. In addition, we use a device-specific encryption key to create a unique 128-bit AES session. This prevents both sniffing and communication between the device and unknown smartphones (or other clients.)
- All of our server communications take place over HTTPS.
- Authenticity of our firmware updates is protected with a RSA 1024 signature and 128 bit encryption.