How do car insurance tracking devices connect to the internet?

Question

There are these devices that you can plug into your car and the insurance company can get real time data to "lower" your insurance cost.

^{Image from U.S.News, 2016.}

How do they connect to the internet? Satellites? Mobile network? Searching on Google doesn't give much information:

Once the device is plugged into the car’s computer, it can see all the data the computer collects and it grabs whatever the insurance company has programmed it to find. It then uses wireless technology to transmit that information to the insurance company.

_{U.S.News., How Do Those Car Insurance Tracking Devices Work?, 2016}

Other than that, how safe are those devices? Are man in the middle attacks possible and can they possibly change the data that are being sent?

Answer 1

Most of the telematic devices used by insurance companies use cellular phone devices (mostly using 2G which is fairly commonly used for low cost, low data requirement devices) to communicate with a couple of different sensors such as accelerometer. Most also plug into the OBDII vehicle diagnostics port to collect data on the car as well.

From In-Car Sensors Put Insurers In The Driver's Seat:

The palm-sized devices plug into a car’s data port, the same spot mechanics use for vehicle diagnostics. (All cars made since 1996 have the ports.) The devices record information about mileage and speed, which is then used to calculate data about acceleration and braking trends. Some systems also have GPS capability that is relayed to insurance companies for research purposes — or to owners like Branson who opt for driver monitoring.

There has been some concern about security expressed, for instance see Progressive Insurance's Driver Tracking Tool Is Ridiculously Insecure. This article has a number of links to other articles and has this synopsis of the Progressive dongle that was investigated.

The dongle doesn't use any kind of network authentication to encrypt the data, the firmware isn't signed or validated, and it uses the infamously insecure FTP – the same protocol to upload and download files from your home server – to keep the bits flowing.

The bottom line so far as this article is concerned is:

Instead, it's more proof that security in the era of the Internet of Things – where everything you own is somehow connected – is woefully lacking.

See as well Car insurance companies want to track your every move—and you’re going to let them.

Since smart phones have a fairly nice sensor package of acceleromater, GPS, etc. a smart phone app can provide much of the information needed by an insurer. See Insurers will now be able to track driver behavior via smartphones.

UBI offers the insurance industry new opportunities for tailored discount programs. Notably, they can switch from relying OBDII dongles plugged into the customer's car and instead use mobile apps that travel with the driver, whether he's traveling in his own car or another vehicle.

Answer 2

While not entirely legible, the label on the device appears to read "CalAmp".

The webpage of said manufacturer offers OBD dongle devices with mobile phone style data network (GSM/GPRS/CDMA/HSPA/UMTS) connectivity.

If the device is legally offered in the US, it will bear an FCC ID number which can be looked up in a web search engine to reveal a test report specifying frequencies and modulations which can be matched against general knowledge of network types. Something not offered in the US at all might have an identifying code for some other jurisdiction.