2+ million US cars can be hacked remotely, researcher claims

Security researcher Corey Thuen has made a surprising discovery when he reverse-engineered the firmware of the Snapshot tracking dongles that US-based Progressive Insurance gives out to its customers: the devices are woefully insecure, and can lead to data theft, as well as to the compromise of a car’s functions crucial to passenger safety.

The dongle, manufactured by California-based Xirgo Technologies, is inserted by insurance customers into their car’s OBD2 port, and tracks their driving habits so the provider can determine and/or adjust the amount of their premium. According to Forbes, the dongle is currently in use in over 2 million vehicles across the US.

According to Thuen, who works at Digital Bond Labs and has presented the results of his research last week at the S4 conference in Miami, the Dongle’s firmware is “minimal and insecure.”

“It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies-¦ basically it uses no security technologies whatsoever,” he pointed out.

He also says that it would be possible for an attacker present in the car or even a remote one to take control of some of the core functions of the car by compromising its on-board system via Snapshot. In order to do that, he or she should also compromise the u-blox modem that manages the connection between the dongle and the company’s servers – and this is also possible.

Add to this the danger of the company’s servers and networks being compromised and used to control the dongle and, through it, the car that has it inserted, and you can see why Thuen thought it a good idea to share the results of his research with the public.

He apparently tried to contact Xirgo Technologies to try to and share this information, but didn’t hear back from them. Progressive Insurance says that they didn’t get a heads up about the discoveries and the talk, but said they are willing to look at “credible evidence” about a potential vulnerability in the devices they use.

“We are confident in the performance of our Snapshot device and routinely monitor the security of our device to help ensure customer safety,” they stated.

Given the long list of security failings that Thuen compiled, that statement does ring a bit hollow.