Vulnerabilities / Threats
1/16/2015
02:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Security MIA In Car Insurance Dongle

A researcher finds security holes in Flo the Progressive Girl's Snapshot insurance policy product.

S4x15 Conference -- Miami -- A researcher who peered under the hood of a dongle that plugs into a car's network to track a driver's habits and calculate policy rates found glaring security weaknesses in the device that ultimately could be used to hack a vehicle wirelessly.

Corey Thuen, a senior researcher with Digital Bond Labs, reverse engineered Progressive Insurance's SnapShot device -- used in 2 million US vehicles -- and tested it on his 2013 Toyota Tundra truck. After picking apart the hardware and testing its wireless communications while plugged into the vehicle's ODP-II diagnostic port on the car's local network, Thuen found the Progressive dongle doesn't authenticate to the cellular network or encrypt its traffic. The firmware isn't signed or validated, and there's no secure boot function. Also, the device uses the notoriously unsecure FTP protocol.

The device runs on CANbus, the very same network where key vehicle functions -- including braking, park assist steering, and ECU -- are housed. It sends messages over the CAN to request information from the vehicle's computer systems, such as revolutions per minute, to calculate the driver's ultimate insurance policy rate.

"Anything on the bus can talk to anything [else] on the bus," he says "You could do a cellular man-in-the-middle attack" on the device's communications to Progressive, because there's no authentication or encryption. But a MITM would require spoofing a cell tower to capture the traffic, which Thuen did not test.

It would be easy for data to be leaked wirelessly. "What happens if Progressive's servers are compromised?" he says. "An attacker who controls that dongle has full control of the vehicle."

This isn't the first such experiment with dongles that attach to car networks. Most recently, researchers at Argus Cyber Security performed a similar hack of the Zubie, which checks for possible problems with the vehicle and lets drivers track their driving habits and trends and share their locations with friends. Researchers Ron Ofir and Ofer Kapota found similar security weaknesses, which they demonstrated could allow an attacker to take control of the engine, brakes, steering, and other functions wirelessly. Thuen says he heard about the Argus research after he began his own. "It is very similar," but the Argus researchers took it a step further by testing out possible exploitation, whereas he focused on the security flaws. "I did not conduct weaponized exploitation with the end goal of controlling the car. [I] merely looked for the possibility."

He picked Flo the Progressive Girl's product to test mainly because he could get a free trial, and he expects most similar devices to contain the same security weaknesses. "I used Progressive's dongle, but it could have been anybody's. I signed up, and they give you a free trial."

Progressive Insurance told Forbes:

    The safety of our customers is paramount to us. We are confident in the performance of our Snapshot device -- used in more than two million vehicles since 2008 -- and routinely monitor the security of our device to help ensure customer safety.

    However, if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited. While it's unfortunate that Mr. Thuen didn't share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.

Car hacking research is nothing new. Chris Valasek and Charlie Miller have led the way with groundbreaking research, including demonstrating how to wrest control of a car's automated features such as braking and acceleration.

Thuen says there are blatant similarities in the security weaknesses of car network devices and ICS/SCADA environments. "You need to be careful of what you're plugging into your CANbuses and in your SCADA systems. We look at embedded devices all the time, such as relay station controllers for plants. They have the same type of lack of security architecture."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
mumom10
50%
50%
mumom10,
User Rank: Apprentice
1/26/2015 | 1:27:19 AM
Hack the dongle
This is downright unethical.  There is no way the company didn't know how insecure this device was.  This is a privacy violation to begin with - to expect a customer to allow an insurance provider to track.  It should be illegal.
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
1/21/2015 | 8:57:21 PM
Re: security in devices
@ODA155, I'm going to be up late again tonight! That's a good point about Progressive. What blew my mind is that they are in insurance company and thus in the BUSINESS OF RISK. They should know what the risk of putting this device in their customers' cars. But like you alluded to, the risk goes beyond just dollars and cents should something happen. Their whole brand is based on protecting their customers, being there for them in a fix. This situation serves to undermine their brand, their reputation, at its core. 
ODA155
50%
50%
ODA155,
User Rank: Ninja
1/20/2015 | 10:27:35 PM
Re: security in devices
@Broadway0474,...

Hey Broadway... good to see that I'm not the only one up late working :-)

"...cost-benefit analysis... How much will it cost to fix these issues?... How much could it probably cost if something bad were to happen?... If the former is more than the latter, then move forward. A miscalculation is usually how a massive recall happens. Or a class action lawsuit."

In my opinion, that is the reason why we have so many products with poor coding and or no security at all. How about this, a) do it right the first time, 2) if it's broken, fix it (period). In the case of this particular device in this article, it's an insurancecompany we're talking about! People ARE their business, insuring their cars and other properties... show me that you really do care about me as you claim in all of your commecials or do your CBA and pray that you don't get sued... for something.
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
1/20/2015 | 10:16:28 PM
Re: security in devices
Sure, someone is doing the cost-benefit analysis on all these things. How much will it cost to fix these issues? How much could it probably cost if something bad were to happen? If the former is more than the latter, then move forward. A miscalculation is usually how a massive recall happens. Or a class action lawsuit.
ODA155
50%
50%
ODA155,
User Rank: Ninja
1/20/2015 | 12:51:09 PM
Re: security in devices
This is a little off topic, but please correct me if I'm wrong, but IoT (Internet of Things) is not a real architectural goal or plan, it's just the way the Internet already is and business wants to take advantage of that. If you have a device that connects to the Internet then you're a part of IoT whether want to be or not, like being in a swimming pool with everyone else who's in the pool. But an IoT (Intranet of Things) would be something that a single or multiple organizations who agree to a plan or an architecture could control.

However I see your point but until organizations, government and even private citizens with all of these connecting "things" that make up the IoT decide to get their collective and personal security acts and priorities together, this is where we'll be. Just think, Mr. Thuen tested his theory on a 2013 Toyota Tundra truck, and that is NOT the most sophisticated or computerised vehicle on the road. There was an article in Forbes back in August 2013 (Hackers Reveal Nasty New Car Attacks--With Me Behind The Wheel (Video) about hacking a Ford Escape... A man used his Toyota Prius as a generator during Hurricane Sandy... Car and Driver did an article in August 2011 about the concerns that the Center for Automotive Embedded Systems Security (CAESS) had about the proliferation of computers in cars. Heck, I just heard a piece on NPR a week or so back about how Ford is ramping up for the next few years to add more technology that will allow the car to do more and the driver to do less... cars can park themselves... Google and Audi both have driverless cars for god sake!

So, at least to me, there is NOBODY that should be surprised that in the rush to get all of this technology into our cars, short-cuts will be taken and security and QA will be ignored.
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
1/20/2015 | 12:41:32 PM
Re: security in devices
I would bet that on the team that built that thing, there was at least one programmer trying to tell the Powers That Be in their shop that there was a glaring security hole. I have seen this too many times.

"Hey, this isn't secure."

"What would it cost to make it secure?"

"X number of man hours."

"Lets circle back to this later in the development cycle, we have a bit of pressure right now to meet our numbers."
rjones2818
0%
100%
rjones2818,
User Rank: Strategist
1/20/2015 | 11:05:15 AM
Re: security in devices
The hackabilty of IOT devices should make everybody question if IOT should be the path to be followed.
rcrutchlowl6m
100%
0%
rcrutchlowl6m,
User Rank: Apprentice
1/20/2015 | 9:51:12 AM
Re: security in devices
The risk of these auto monitoring devices being hacked and causing potentially deadly mahem is rising quickly. I have no doubt that Flo (Progressive Insurance) is now scrambling to determine both the device vulnerability and more importantly (to Flo) their liability if the device is shown to be responsible not just for data theft but also for damage or even (God forbid) loss of life. This vulnerability is not restricted just to these devices but the whole "Internet of Things" and legislators and standards organizations appear to be taking a far too casual interest in the potential consequences ... waiting for issues to shake themselves out and passively watching public beta testing rather than be proactive.


It would certainly make sense if, for once, standards (e.g. data encryption, key system isolation, etc.) and enforceable regulation could get out in front of the inevitable threats and provide both a framework and guidance to mitigate the potential chaos. Blackhats are lurking out there.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/20/2015 | 8:54:16 AM
Re: security in devices
Unlikely that anyone at Progressive was fired (or will be), given the fact that (at least according to what Progressive told Forbes) the insurance company hasn't been "officially" informed of the research behind the  vulnerability. Just another issue in the growing list of connected "things" in the Internet of Everything.Yikes...
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
1/19/2015 | 10:59:08 PM
Re: security in devices
This amazes me that an insurance company could be so oblivious --- perhaps even indifferent --- to risk. I know cyber liability is an emerging risk and the not same as figuring out the chances somebody is going to get into a car accident in the next year, but at the same time, how designed these devices for them? Has someone been fired at Progressive because of this?
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers