Progressive Insurance Dongle Hacked
'An attacker who controls that dongle has full control of the vehicle,' says Digital Bond Labs' Corey Thuen.
At Digital Bond's S4x15 Conference last week, researcher Corey Thuen warned of significant security flaws in Progressive's Snapshot ODB-II port dongle, manufactured by Xirgo Technologies, which the insurance company uses to track customers' driving habits.
Thuen tested the device on his 2013 Toyota Tundra, and found that it operates with no security at all, according to Dark Reading -- the Snapshot doesn't authenticate to the cellular network, it doesn't encrypt its traffic, the firmware isn't signed or validated, and there's no secure boot function.
And the device leverages the CANbus, the same network that controls key vehicle functions such as braking and park assist steering, to access data on driving habits.
"Anything on the bus can talk to anything [else] on the bus," Thuen said, according to Dark Reading. "You could do a cellular man-in-the-middle attack" on the Snaspshot device's communications to Progressive, since there's no authentication or encryption of the traffic.
"What happens if Progressive's servers are compromised? An attacker who controls that dongle has full control of the vehicle," Thuen added.
Thuen also pointed out that these flaws aren't likely to be unique to the Snapshot -- he only chose Progressive's device because he could get a free trial. "I used Progressive's dongle, but it could have been anybody's," he said.
Thuen told Forbes that while he could have taken advantage of the vulnerability to unlock doors, start the car and download engine data, he didn't want to "weaponize" the exploits.
"Controlling it wasn't the focus, finding out if it was possible was the focus," he said.
In response, Progressive provided Forbes with the following statement: "We are confident in the performance of our Snapshot device -- used in more than two million vehicles since 2008 -- and routinely monitor the security of our device to help ensure customer safety."
"However, if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited," the company added. "While it’s unfortunate that Mr. Thuen didn’t share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims."
David Emm, principal security researcher at Kaspersky Lab, told CSO Online that we can only expect more attacks like this as vehicles become increasingly connected.
"As a result, everyone involved in the creation of a connected vehicle -- including policy makers -- needs to work together to ensure these points of weakness are dealt with, and security implemented, before connected vehicles make it onto our drives and onto our roads," Emm said.
Photo courtesy of Shutterstock.