http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/
By Thomas Fox-Brewster
Forbes Staff
1/15/2015
Corey Thuen has been braving the snow and sub-zero temperatures of Idaho
nights in recent weeks, though any passerby would have been perplexed by a
man, laptop in hand, tinkering with his aptly-named 2013 Toyota Tundra at
such an ungodly hour.
He hasn’t been doing repairs, however. Quite the opposite. Thuen, a
security researcher at Digital Bond Labs who will present his findings at
the S4 conference in a talk titled Remote Control Automobiles, has been
figuring out how he might hack the vehicle’s on-board network via a dongle
that connects to the OBD2 port of his pickup truck. That little device,
Snapshot, provided by one of the biggest insurance providers in the US,
Progressive Insurance, is supposed to track his driving to determine
whether he deserves to pay a little more or less for his cover. It’s used
in more than two million vehicles in the US. But it’s wholly lacking in
security, meaning it could be exploited to allow a hacker, be they in the
car or outside, to take control over core vehicular functions, he claims.
It’s long been theorised that such usage-based insurance dongles, which
are permeating the market apace, would be a viable attack vector. Thuen
says he’s now proven those hypotheses; previous attacks via dongles either
didn’t name the OBD2 devices or focused on another kind of technology,
namely Zubie, which tracks the performance of vehicles for maintenance and
safety purposes.
But he hasn’t gone as far to actually mess with the controls of his
Toyota. By hooking up his laptop directly to the device he says he would
have been able to unlock doors, start the car and gather engine
information, but he chose not to “weaponise” his exploits, he told Forbes.
“Controlling it wasn’t the focus, finding out if it was possible was the
focus.”
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
