That TomTom trojan

I’m not normally an investigative journalist – although I have nothing but admiration for the people who are – but as a technology journalist and consultant for more than 20 years, I’ve met a lot of people, and a lot of people know me. That’s how I came to break a major story online that spread quickly from my blog post to the front page of Slashdot and beyond, to be picked up by everyone from online news services, technology publications (PC Pro ran the story first online and in print last month), and even a national newspaper or two. Here’s the story behind the story, how I broke the sad tale of the first virus-infected sat-nav device.

It all started with an email from a PC Pro reader of many years, Lloyd Reid, an IT consultant who had reached the end of his tether with TomTom: “Hi Davey, I know I haven’t contacted you before and hope you don’t mind my copying you on that email to TomTom. I just had to do something about this and wasn’t getting any response from them. Thanks for all your columns over the years – they’ve been great bedtime reading!” The copied email was a complaint about a recent purchase of a TomTom GO 910 sat-nav unit, which, immediately upon connecting to his PC to back up its integrated hard drive, triggered his AV software to flag the presence of two infected files that revealed the presence of not merely one but two trojans.

On calling the TomTom support line, Lloyd was told these files weren’t used by the device and that he should just let his AV software delete them and “all would be fine”. As an IT consultant and regular reader of this column, he knew all was not fine and told them so, suggesting they investigate the matter. The support technician’s response was to tell him to log a request on the website, and to claim they weren’t dangerous trojans and wouldn’t crash his computer. Following a fruitless attempt to contact someone with a better awareness of security issues, Lloyd emailed TomTom’s IT helpdesk (and copied me in) in the hope that might “help you respond to my email with an adequate solution”. It did no such thing, of course, at least not directly.

It took me all of 30 minutes to discover a number of complaints regarding the presence of win32.perlovga.a and tr/drop.small.qp on the sat-nav’s hard drive, and a complete lack of meaningful support from TomTom. Most shockingly, these reports on specialist GPS support forums dated back to the beginning of December, yet there was no mention of the danger on TomTom’s website, no advisory and no guidance for users who may well have received the device as a Christmas gift, for example. My next move was to offer TomTom the opportunity to tell its side of the story, make amends and post a security advisory.

The UK PR team responded quickly to my request for an official statement and passed this to TomTom’s Netherlands HQ for attention, so that by the end of the following day I had the response, an official statement admitting that, “It has come to our attention that a small, isolated number of TomTom GO 910s, produced between September and November 2006, may be infected with a virus. The virus is qualified as low risk and can be removed safely with virus-scanning software. Appropriate actions have been taken to make sure this is prevented from happening again in the future.”

That was pretty much it, apart from removal advice to “allow the virus scanning software to remove the host.exe file, copy.exe file or any other variants”, and that “customers that do not have virus-scanning software are advised to install virus-scanning software”. Amazingly, though, there was still no sign of this statement or the scant advice it contains on the TomTom website. If the firm was hoping it would all just go away, it was in for a big surprise, because now citizen journalism took hold of events. I posted the story and TomTom’s full statement on my Inside Edge blog at DaniWeb, a US forum-based tech-support community I help to run.