Corey Thuen, a senior researcher with Digital Bond Labs, reverse engineered Progressive Insurance's SnapShot device -- used in 2 million US vehicles -- and tested it on his 2013 Toyota Tundra truck. After picking apart the hardware and testing its wireless communications while plugged into the vehicle's ODP-II diagnostic port on the car's local network, Thuen found the Progressive dongle doesn't authenticate to the cellular network or encrypt its traffic. The firmware isn't signed or validated, and there's no secure boot function. Also, the device uses the notoriously unsecure FTP protocol.
The device runs on CANbus, the very same network where key vehicle functions -- including braking, park assist steering, and ECU -- are housed. It sends messages over the CAN to request information from the vehicle's computer systems, such as revolutions per minute, to calculate the driver's ultimate insurance policy rate.
"Anything on the bus can talk to anything [else] on the bus," he says "You could do a cellular man-in-the-middle attack" on the device's communications to Progressive, because there's no authentication or encryption. But a MITM would require spoofing a cell tower to capture the traffic, which Thuen did not test.
It would be easy for data to be leaked wirelessly. "What happens if Progressive's servers are compromised?" he says. "An attacker who controls that dongle has full control of the vehicle."
The official response from Xirgo, the manufacturer of the dongle device, and Progressive isn't exactly reassuring.
“However, if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited. While it’s unfortunate that Mr. Thuen didn’t share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.”
One could easily imagine an information warfare operation executed by an adversary of the U.S. that targeted automobiles; said actor could literally paralyze the economy by shutting down traffic across the country.
Hat tip: Real-Time Science & Technology News at BadBlue Tech.