Wednesday, January 21, 2015

REPORT: Progressive Insurance Driving Tracker Lacks Basic Security, Allows Attacker "Full Control" of Vehicles

Well, this seems rather disturbing.

Corey Thuen, a senior researcher with Digital Bond Labs, reverse engineered Progressive Insurance's SnapShot device -- used in 2 million US vehicles -- and tested it on his 2013 Toyota Tundra truck. After picking apart the hardware and testing its wireless communications while plugged into the vehicle's ODP-II diagnostic port on the car's local network, Thuen found the Progressive dongle doesn't authenticate to the cellular network or encrypt its traffic. The firmware isn't signed or validated, and there's no secure boot function. Also, the device uses the notoriously unsecure FTP protocol.

The device runs on CANbus, the very same network where key vehicle functions -- including braking, park assist steering, and ECU -- are housed. It sends messages over the CAN to request information from the vehicle's computer systems, such as revolutions per minute, to calculate the driver's ultimate insurance policy rate.

"Anything on the bus can talk to anything [else] on the bus," he says "You could do a cellular man-in-the-middle attack" on the device's communications to Progressive, because there's no authentication or encryption. But a MITM would require spoofing a cell tower to capture the traffic, which Thuen did not test.

It would be easy for data to be leaked wirelessly. "What happens if Progressive's servers are compromised?" he says. "An attacker who controls that dongle has full control of the vehicle."

The official response from Xirgo, the manufacturer of the dongle device, and Progressive isn't exactly reassuring.

Xirgo had not responded to Forbes requests for comment. Thuen said he’d tried to disclose his findings to Xirgo but got no response. Progressive said it hadn’t heard from Thuen, but handed this comment via email to Forbes: “The safety of our customers is paramount to us. We are confident in the performance of our Snapshot device – used in more than two million vehicles since 2008 – and routinely monitor the security of our device to help ensure customer safety.

“However, if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited. While it’s unfortunate that Mr. Thuen didn’t share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.”

One could easily imagine an information warfare operation executed by an adversary of the U.S. that targeted automobiles; said actor could literally paralyze the economy by shutting down traffic across the country.

Hat tip: Real-Time Science & Technology News at BadBlue Tech.


Francis W. Porretto said...

"By an adversary of the U.S." -- ? My mind is reeling with the possibilities the governments of the U.S. could see in such a device. I kinda wish this article hadn't surfaced, as it might give them even more ideas.

Anonymous said...

First time I saw this commercial, I knew out the gate it wasn't going on my car voluntarily. Of course, there's nothing to stop the government from putting them on the new cars when they want to place there.

Anonymous said...

George Orwell was an F’ing optimist!

First there was ‘Fitbit’ to monitor you, now we have this to monitor your car.

How long will it take before our gracious and ever so wonderful ‘betters’ in the Government “Decide” that everyone will need to volunteer to have these devices… for our and the common good?