S4x15 Conference -- Miami -- A researcher who peered under the hood of a dongle that plugs into a car's network to track a driver's habits and calculate policy rates found glaring security weaknesses in the device that ultimately could be used to hack a vehicle wirelessly.
Corey Thuen, a senior researcher with Digital Bond Labs, reverse engineered Progressive Insurance's SnapShot device -- used in 2 million US vehicles -- and tested it on his 2013 Toyota Tundra truck. After picking apart the hardware and testing its wireless communications while plugged into the vehicle's ODP-II diagnostic port on the car's local network, Thuen found the Progressive dongle doesn't authenticate to the cellular network or encrypt its traffic. The firmware isn't signed or validated, and there's no secure boot function. Also, the device uses the notoriously unsecure FTP protocol.
The device runs on CANbus, the very same network where key vehicle functions -- including braking, park assist steering, and ECU -- are housed. It sends messages over the CAN to request information from the vehicle's computer systems, such as revolutions per minute, to calculate the driver's ultimate insurance policy rate.
"Anything on the bus can talk to anything [else] on the bus," he says "You could do a cellular man-in-the-middle attack" on the device's communications to Progressive, because there's no authentication or encryption. But a MITM would require spoofing a cell tower to capture the traffic, which Thuen did not test.
It would be easy for data to be leaked wirelessly. "What happens if Progressive's servers are compromised?" he says. "An attacker who controls that dongle has full control of the vehicle."
This isn't the first such experiment with dongles that attach to car networks. Most recently, researchers at Argus Cyber Security performed a similar hack of the Zubie, which checks for possible problems with the vehicle and lets drivers track their driving habits and trends and share their locations with friends. Researchers Ron Ofir and Ofer Kapota found similar security weaknesses, which they demonstrated could allow an attacker to take control of the engine, brakes, steering, and other functions wirelessly. Thuen says he heard about the Argus research after he began his own. "It is very similar," but the Argus researchers took it a step further by testing out possible exploitation, whereas he focused on the security flaws. "I did not conduct weaponized exploitation with the end goal of controlling the car. [I] merely looked for the possibility."
He picked Flo the Progressive Girl's product to test mainly because he could get a free trial, and he expects most similar devices to contain the same security weaknesses. "I used Progressive's dongle, but it could have been anybody's. I signed up, and they give you a free trial."
Progressive Insurance told Forbes:
- The safety of our customers is paramount to us. We are confident in the performance of our Snapshot device -- used in more than two million vehicles since 2008 -- and routinely monitor the security of our device to help ensure customer safety.
However, if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited. While it's unfortunate that Mr. Thuen didn't share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.
Car hacking research is nothing new. Chris Valasek and Charlie Miller have led the way with groundbreaking research, including demonstrating how to wrest control of a car's automated features such as braking and acceleration.
Thuen says there are blatant similarities in the security weaknesses of car network devices and ICS/SCADA environments. "You need to be careful of what you're plugging into your CANbuses and in your SCADA systems. We look at embedded devices all the time, such as relay station controllers for plants. They have the same type of lack of security architecture."