Corey Thuen investigated the SnapShot device which Progressive Insurance has issued to around two million US drivers to track their speed and location. That information is then used to assess the insurance risk of customers and price their policies.
Several UK firms offer similar devices made by other manufacturers.
Thuen, who works as a security expert at consultancy firm Digital Bond, reverse engineered the software included on the SnapShot and found that he was able to access certain functions of the cars CAN bus via it.
The CAN bus is a standard protocol which allows various computers and components inside a car to talk to each other. The SnapShot connects to the car via this system, and by gaining access to it hackers could theoretically affect steering or braking.
"The firmware running on the dongle is minimal and insecure," Thuen told Forbes .
"It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies... basically it uses no security technologies whatsoever.
I suspected that these dongles were built insecurely, and I was correct. The technology being used in them is outdated and vulnerable to attack which is highly troubling considering it is being used to remotely access insecure by design vehicle computers. A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb."
Although Thuen used a laptop connected directly to the device to gain access, he said that the built-in modem would make a remote attack possible. An attack on the insurance company's servers could also provide access, he warned.
Thuen reportedly contacted the manufacturer of the SnapShot device, Xirgo Technologies, to inform it of the security vulnerability, but heard no response. He subsequently revealed information about the flaw at the S3x15 security conference in Miami.
David Emm, principal security researcher at Kaspersky Lab, said: "This is just another example of how, as our cars become increasingly connected, we open the door to threats that have long existed in the PC and smartphone world.
"As well as gaining remote access to the vehicle, by compromising USB dongles, cybercriminals could potentially exploit features such as self-parking, active lane control, pre-collision systems and adaptive cruise control, all of which require some level of communication between a sensor and the brakes, acceleration or steering, usually over Bluetooth or some other radio signal.
As vehicles become increasingly connected and autonomous, we can only expect to see more attacks of this nature. As a result, everyone involved in the creation of a connected vehicle including policy makers - needs to work together to ensure these points of weakness are dealt with, and security implemented, before connected vehicles make it onto our drives and onto our roads. At the same time, owners of next generation cars must wake up to the fact that threats specific to the computer world now apply to connected vehicles and take these risks into account.
Progressive Insurance says on its website that Snapshot notes information like the distance, time of day and how you drive, including any hard brakes.
"Snapshot personalises your insurance rate based on your actual driving. The better you drive, the more you can save."
Progressive Insurance was unavailable for comment at the time of writing, as was Xirgo Technologies.
|