Driving data collection device is completely insecure

Jan 19, 2015 10:41 GMT  ·  By

A device used by Progressive Insurance to collect information about their customers’ driving behavior has been found to be insecure and allow remote control of the vehicle.

The dongle, called Snapshot, is connected to the OBD II port of the car and tracks the driver’s actions at the wheel, such as hard brakes and steering on a defined distance. This information is sent to Progressive Insurance servers so that the company can create a custom insurance policy.

Dongle is utterly insecure

The OBD II port is available in all cars and light trucks that have been built and sold in the United States since 1996. It intermediates communication to compatible devices via CAN bus.

Snapshot has been analyzed by security researcher Corey Thuen from Digital Bond Labs, who created an exploit for taking control of the car equipped with the device from the insurance company.

He reverse engineered the firmware of the dongle and discovered that it relied on outdated technology and presented serious security risks, allowing him to take control of a car.

Thuen said that, by connecting his laptop to Snapshot, he would have been able to unlock the doors of the car, start the engine, and check details about the engine.

“The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever,” the researcher told Forbes.

Risk of man-in-the-middle attack

Connecting to the device directly without the driver noticing is difficult to put into practice, but Thuen said that the attack can be carried out remotely, by compromising the u-blox modem cellular module, which is in charge of connecting Snapshot to Progressive’s servers.

An attacker could compromise the module by using a rogue GSM base station (cell tower) to intercept the communication, in a man-in-the-middle (MitM) type of attack; this, of course, would require certain proximity to the target.

Someone sufficiently motivated could deploy an attack on vehicles equipped with Snapshot and thus be able not only to snoop in on the information sent by the dongle but also take control over them.

Xirgo Technologies, the manufacturer of the device, was contacted by the security researcher but it did not respond. Forbes says that Progressive Insurance was not contacted but the company welcomes Thuen to share his findings in order to be evaluated and mitigation measures to be issued.

Thuen presented his findings at the S4x15 ICS Security Conference held in Miami last week.

Video presentation of Snapshot functionality: