2 million Progressive Snapshot customers may be at risk for car hacking

Cyber-Security Firm Says Popular Device Contains No Security

It was a mere two months ago that Israeli cyber-security researchers hacked into a device that plugs into the diagnostic port of a car and determined they could remotely control the vehicle from anywhere in the world. At the time, the simulated attack seemed like the automotive version of a canary in a coal mine. If researchers could breach this one device, perhaps other aftermarket products that plug into diagnostic ports were also vulnerable?

In short order, another cyber-security firm now reports finding serious flaws in a device used by more than 2 million motorists.

Researchers at Florida-based Digital Bond Labs say they have uncovered major problems in a device that Progressive Insurance uses to measure the driving habits of participating customers. By reverse-engineering the dongle, they gained access to a network that allows control of critical vehicle functions, like steering, braking and throttle inputs.

"What we found with this device was that it was designed with no security features," Dale Peterson, founder and CEO of Digital Bond Labs, tells Autoblog. "It wasn't even based on basic security coding practices. ... It's a house that has no doors, no windows and no fences, with valuables inside."

Peterson emphasized this was not a case of researchers exploiting a weakness in the dongle's security; it was simply that no security existed.

Device Records Driver Data

Progressive uses these devices as part of its Snapshot usage-based insurance program, which has been around since 2008. The dongle, which plugs into the OBD-II diagnostic port, collects data on how many miles are driven, what times of day a vehicle is in operation and how hard a driver brakes. In exchange for this driver data, prudent drivers can receive discounts as large as 30 percent off their premiums.

A company spokesperson said Progressive had not yet seen the research and is looking into the allegations.

"We are confident in the performance of our Snapshot device," a Progressive spokesperson said in a written statement. "To be clear, the researcher was not able to control any vehicle functions and we do not have evidence that anyone else has been able to do so. However, we take security very seriously and intend to investigate the matter thoroughly."

Growing Automotive Cyber Concerns

Cyber threats have become an industry-wide concern among automakers. Industry analysts increasingly see attacks on these third-party devices as more nefarious problems than the cars themselves because they essentially allow hackers to circumvent whatever security an automaker has put into place.

As first reported by Dark Reading, Digital Bond Labs researcher Corey Thuen found that once the Progressive dongle is plugged into the vehicle's local network, it does not authenticate to the cellular network on which it communicates information back to Progressive, nor does it encrypt its messages. He also says, "the firmware isn't signed or validated, and there's no secure boot function. Also, the device uses the notoriously unsecure FTP protocol."

The Snapshot dongle provides access to the same network that houses electronic control units, which control dozens of vehicle functions, everything from airbag deployments to the engine. Once inside this network, a hacker could send malicious codes to these ECUs that override a driver's inputs and control a vehicle.

"If someone hacked into the Progressive cloud, they could go to all the cars that have this," Peterson said. "They could send things to these dongles and potentially do some really bad things."

In November, Israel-based Argus Cyber Security researchers published information on a hack of one of these third-party devices. They claimed to exploit a vulnerability in the Zubie, a dongle that provides drivers with trip information, car performance and driver behavior.

Once inside, the Argus researchers unlocked doors and manipulated instrument-cluster readings. They say they could have also controlled the vehicle's engine, brakes and steering components from a remote location.

"In the internet of things, this is just another example of what happens when you add communication capability to things that typically didn't have them," Peterson said. "The concern is when they are added without security controls."

Share This Photo X