Hackers could exploit security holes in Progressive Insurance Snapshot devices

UPDATE: A previous version of this article claimed that a researcher wirelessly breached the security on Progressive Insurance’s Snapshot device. In fact, the researcher breached the device through a local connection, although other experts have pointed out that separate research suggests that wireless hacking of the devices is a possibility.

At CES 2015, General Motors said it “expanded its OnStar in-vehicle concierge service” so that it will offer a “driver assessment” program by the end of summer 2015. OnStar 4G LTE users can sign up for a 90-day driving evaluation, which – if the user agrees – can be passed on to Progressive for a possible Snapshot insurance discount. Snapshot is already in use by monitoring driving in over two million vehicles in the U.S.

But Progressive’s Snapshot dongle is dangerously insecure, according to Corey Thuen of Digital Bond Labs. 

Wikia / Progressive

After reverse-engineering Progressive’s Snapshot device, Thuen plugged it into the OBD-II diagnostic port of his 2013 Toyota Tundra and tested its wireless communications. Thuen outlined the security flaws in Progressive’s dongle during his talk on Remote Control Automobiles at the S4X15 Conference. He said “it would be possible to intercept data passed between the dongles and the insurance providers’ servers, likely including location and performance information, as they ‘do nothing to encrypt or otherwise protect the information they collect’.”

“The firmware running on the dongle is minimal and insecure,” Thuen told Forbes. “It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever.” The device also uses insecure FTP protocol.

Snapshot runs on CANbus, explained Dark Reading; it’s the “same network where key vehicle functions — including braking, park assist steering, and ECU — are housed. It sends messages over the CAN to request information from the vehicle’s computer systems, such as revolutions per minute, to calculate the driver’s ultimate insurance policy rate.”

“Anything on the bus can talk to anything [else] on the bus,” Thuen said. Since there’s no encryption or authentication, “You could do a cellular man-in-the-middle attack” on the communications of Progressive’s dongle. But a remote MITM attack would only be successful if an attacker spoofed a cell tower. “What happens if Progressive’s servers are compromised? An attacker who controls that dongle has full control of the vehicle.”

He didn’t weaponize his exploits, Thuen told Forbes, but “by hooking up his laptop directly to the device he says he would have been able to unlock doors, start the car and gather engine information.” He added that previous Argus Cyber Security research did go further than his focus on security flaws by testing exploits that would allow an attacker to remotely control a car. Argus previously discovered a vulnerability in the Zubie connected car service that “could allow an attacker to wirelessly and remotely influence a vehicle’s mission critical components such as the engine, brakes steering and others.”

Yet Thuen called the outdated tech being used in Snapshot “highly troubling” as it is vulnerable to attack. “A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb.”

“Also, there is the attack vector of Progressive backend infrastructure,” he added. “If those systems are compromised, an attacker would have control over the devices that make it out to the field. In simple terms, we have seen that cars can be hacked and we have seen that cell comms can be hacked.”

Xirgo Technologies, which manufactures Progressive’s Snapshot devices, failed to respond after Thuen disclosed the security flaws he found. Yet Progressive took Thuen to task for public disclosure. The company told Forbes:

If an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited. While it’s unfortunate that Mr. Thuen didn’t share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.

Although Thuen only tested Progressive’s Snapshot, he said he suspects the same security weaknesses will be found in other companies’ devices that monitor driving to determine insurance rates.