General Insurance Article - Insurance trackers could leave cars vulnerable to hijack


Devices handed out to drivers by insurance companies to track driving habits and price premiums are insecure and could allow hackers to hijack cars, including steering and braking systems, warns a security expert.

 Corey Thuen investigated the SnapShot device which Progressive Insurance has issued to around two million US drivers to track their speed and location. That information is then used to assess the insurance risk of customers and price their policies.
  
 Several UK firms offer similar devices made by other manufacturers.
  
 Thuen, who works as a security expert at consultancy firm Digital Bond, reverse engineered the software included on the SnapShot and found that he was able to access certain functions of the cars CAN bus via it.
  
 The CAN bus is a standard protocol which allows various computers and components inside a car to talk to each other. The SnapShot connects to the car via this system, and by gaining access to it hackers could theoretically affect steering or braking.
  
 "The firmware running on the dongle is minimal and insecure," Thuen told Forbes .
  
 "It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies... basically it uses no security technologies whatsoever.
  
 I suspected that these dongles were built insecurely, and I was correct. The technology being used in them is outdated and vulnerable to attack which is highly troubling considering it is being used to remotely access insecure by design vehicle computers. A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb."
  
 Although Thuen used a laptop connected directly to the device to gain access, he said that the built-in modem would make a remote attack possible. An attack on the insurance company's servers could also provide access, he warned.
  
 Thuen reportedly contacted the manufacturer of the SnapShot device, Xirgo Technologies, to inform it of the security vulnerability, but heard no response. He subsequently revealed information about the flaw at the S3x15 security conference in Miami.
  
 David Emm, principal security researcher at Kaspersky Lab, said: "This is just another example of how, as our cars become increasingly connected, we open the door to threats that have long existed in the PC and smartphone world.
  
 "As well as gaining remote access to the vehicle, by compromising USB dongles, cybercriminals could potentially exploit features such as self-parking, active lane control, pre-collision systems and adaptive cruise control, all of which require some level of communication between a sensor and the brakes, acceleration or steering, usually over Bluetooth or some other radio signal.
  
 As vehicles become increasingly connected and autonomous, we can only expect to see more attacks of this nature. As a result, everyone involved in the creation of a connected vehicle including policy makers - needs to work together to ensure these points of weakness are dealt with, and security implemented, before connected vehicles make it onto our drives and onto our roads. At the same time, owners of next generation cars must wake up to the fact that threats specific to the computer world now apply to connected vehicles and take these risks into account.
  
 Progressive Insurance says on its website that Snapshot notes information like the distance, time of day and how you drive, including any hard brakes.
  
 "Snapshot personalises your insurance rate based on your actual driving. The better you drive, the more you can save."
  
 Progressive Insurance was unavailable for comment at the time of writing, as was Xirgo Technologies.

Back to Index


Similar News to this Story

Sleighing the risks by giving Santa the insurance he needs
While you might be the most magical employer in the world, we know that even you aren’t immune to the risks of running a global delivery service! From
Diversity improving in insurance and long term savings
Key figures from the Association of British Insurers’ latest Diversity, Equity and Inclusion (DEI) data collection highlight the work of insurers and
Almost a third of homeowners have been victims of burglaries
Research commissioned by Co-op Insurance reveals that almost one in three (29%) homeowners have been the victims of theft from their home. The member-

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.