Insecure Snapshot dongle puts 2 million cars at risk

snapshot
Credit: Progressive Insurance

There are more than 2 million vehicles on the roads in the United States taking advantage of the Snapshot dongle to earn cheaper rates from Progressive Insurance. The little device monitors and tracks driving behavior to reward safe drivers but a security researcher has revealed that it is insecure and could also put the vehicle in danger.

According to the Progressive Insurance website, you just plug the Snapshot device into the OBD-II port in your vehicle. Most recent vehicles have one—it’s a diagnostic port typically found somewhere beneath the steering column. Snapshot then logs your driving habits, such as what time of day you drive, how you drive, and how hard you brake. Assuming you drive safely, Progressive will reward you with discounted rates on insurance.

Corey Thuen, a security researcher, scrutinized the Snapshot and the access it has to the vehicle computer systems, however, and discovered some serious concerns. Thuen reports that the device is completely lacking in security and can be exploited by a hacker to take control over crucial vehicle functions—possibly putting the lives of people inside the vehicle at risk.

“The story, highlighting how a Bluetooth dongle used to gather vehicle data can be compromised, provides another example of how, as our cars become increasingly connected, we open the door to threats that have long existed in the PC and smartphone world,” warns David Emm, principal security researcher at Kaspersky Lab. “As well as gaining remote access to the vehicle, cybercriminals could potentially exploit features such as self-parking, active lane control, pre-collision systems and adaptive cruise control, all of which require some level of communication between a sensor and the car’s mechanical systems.”

Emm suggests, “As vehicles become increasingly connected and autonomous, we can only expect to see more attacks of this nature. As a result, everyone involved in the creation of a connected vehicle—including policy makers—needs to work together to ensure these points of weakness are dealt with, and security implemented, before connected vehicles make it onto our drives and onto our roads.”

He also points out that drivers have some responsibility as well. Individuals need to be aware of the potential risks of computer-controlled, connected vehicles and take any available precautions or make efforts to secure and protect those vehicle systems from being hacked.

For starters, I suppose you could stop using the Snapshot device, since that is the Achilles’ heel providing access for hackers in this case. However, the problem is broader than that with connected vehicles and connected technologies in general. As the Internet-of-Things becomes ubiquitous, it is going to be more important than ever for both vendors and consumers to make security a higher priority.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.