Tag Archives: Progressive Snapshot

Insecure dongle puts more than 2 million vehicles at risk

1 Reply

Oh Flo they didn’t! But they did…  

Just a few months ago, a team of cybersecurity researchers hacked into a diagnostic plug-in device and demonstrated that they could remotely control a vehicle from anywhere. Now, another firm has discovered serious vulnerabilities in a gadget currently in use by more than 2 million motorists: the Progressive Insurance Snapshot. (We’re sure you’ve seen the commercials, but just in case…)

Progressive uses a Bluetooth-enabled dongle as part of its usage-based insurance program to monitor the driving habits of its customers, tracking habits for risk assessment and premium adjustments. The device simply plugs into the OBD-II diagnostic port, collects data on how many miles are driven, what times of day a vehicle is in operation and how hard a driver brakes.

By reverse-engineering that same device, Digital Bond Labs security researcher Corey Thuen recently found a way to gain entry into the vehicle’s network, highlighting flaws that would enable any skilled hacker to unlock and start the car, hijack its steering and braking systems, as well as gather engine information. 

Regardless of the steps required to carry out a successful attack, it’s apparent such gadgets are insecure and could potentially pose a risk to car owners. “The technology being used in them is outdated and vulnerable to attack which is highly troubling considering it is being used to remotely access insecure by design vehicle computers,” the researcher added. However, a remote attack is only possible if the u-blox modem — which handles connections between the dongle and Progressive’s servers — is compromised as well.

In-the-car-1455x1940

“It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever,” Thuen told Forbes.  

With the rise of the Internet of Things, cyber threats will increasingly become an industry-wide concern. And, as countless connected devices infiltrate our daily lives, whether at home or in the car, many will only possess minimal security features guarding them against attacks. Luckily, storing “secret keys” in very secure, tamper-safe hardware adds a big road block to any hack attempt. This is where Atmel can help.