Two Million Cars Using Wireless Insurance Dongle Vulnerable to Hacking

2015 will be a year more smarter than 2014 with smarter mobile devices, smarter home appliances, and yes Smarter Automobiles. Nowadays, there are a number of automobiles companies offering vehicles that run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled, from instrument cluster to steering, brakes, and accelerator as well.

No doubt these systems makes your driving experience better, but at the same time they also increase the risk of getting hacked.

According to a recent research, an electronic dongle used to plugged into the on-board diagnostic port of more than two million cars and trucks contains few security weaknesses that makes them vulnerable to wireless attacks, resulting in taking control of the entire vehicle.

Since 2008, US-based Progressive Insurance has used the SnapShot device in more than two million vehicles. The little device monitors and tracks users' driving behavior by collecting vehicle location and speed records, in order to help determine if they qualify for lower rates.

However, the security researcher Corey Thuen has revealed that the dongle is insecure and performs no validation or signing of firmware updates. It has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols, possibly putting the lives of people inside the vehicle in danger.

"The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies ... basically it uses no security technologies whatsoever," Thuen told Forbes.

SnapShot plugs into the OBDII port of Thuen's 2013 Toyota Tundra pickup truck. Thuen said that an attack on the adjacent modem, which handles the connection between Progressive’s servers and the dongle, was possible too, which could allow a potentially deadly takeover of the car's acceleration and braking.

"What happens if Progressive's servers are compromised? An attacker who controls that dongle has full control of the vehicle," he added.

"A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb."

Mr. Thuen presented the detailed analysis of the research last week at the S4x15 Conference in Miami. The research highlighted the minimal protections included with many widely used car computer systems. While he focused on dongles from Progressive, he also warned that devices from other insurance companies could also be at risk.

Progressive officials has said they were confident SnapShot was secure and were not informed about the flaws by Mr Theun before he revealed them at a computer security conference. However the company said it welcomes input on identifying security weaknesses so that they could evaluate it and make any necessary improvements.