Progressive Insurance’s Bluetooth tool to track driver data can be misused to compromise personal data of more than 2 million car owners and even hijack cars
Snapshot is a Bluetooth tool provided by one of United States largest car insurance firms, Progressive Insurance, to track driver habits for insurance purpose. It is normally used to collect vehicle location, driving speeds and driving patterns to build custom car insurance policies or determine the premium on a car owner.
Corey Thuen, a security researcher at Digital Bond Labs says that the Snapshot is vulnerable to hacking and using the hacked Snapshot, a potential hacker can remotely hijack personal details of approximately 2 million car users in the United States who buy car insurance from Progressive Insurance. In extreme cases it can even be used to hijack the car itself says Thuen.
Thuen will present his findings at the S4 conference in a talk titled Remote Control Automobiles about the Snapshot vulnerabilities.
Thuen says the problem lies in Snapshot extremely insecure and vulnerable firmware,”The firmware running on the dongle is minimal and insecure,” Thuen told Forbes.
Thuen found out that Snapshot connects the vehicle’s onboard network via the OBD2 port. This provides opportunity for cyber criminals to hack Snapshot and allow the would be hacker, be they in the car or outside, to take control over core vehicular functions, he claims.
Thuen says that it has been theorized by many cyber security experts that such usage-based insurance dongles would be a viable attack vector, but now his exploit proves the same to be true. He gives reasons for his success because earlier hypotheses of attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes.
He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. Snapshot is manufactured by technology licensed from Xirgo Technologies and is completely lacking security department, says Thuen, “It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever.”
The researcher told Forbes that for a remote attack to take place, the concomitant U-Blox modem, which handles the connection between Progressive’s servers and the dongle, would have to be compromised too.
Thuen said that he didnt not ‘weaponise’ his exploit but says that a dedicated cyber criminal or gang with more complex infrastructure can use this threat vector for bigger attacks and even cause fatalities.
Forbes said that SnapShot manufacturer Xirgo Technologies did not respond to their queries about the vulnerabilities in the device, where Progressive Insurance said that it was not informed about the hack or the talk Thuen will deliver. It said that it welcomed any input for security the vulnerabilities in the dongle.
“The safety of our customers is paramount to us. We are confident in the performance of our Snapshot device – used in more than two million vehicles since 2008 – and routinely monitor the security of our device to help ensure customer safety.” Progressive Insurance told Forbes in a emailed comment. It added, “However, if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited. While it’s unfortunate that Mr. Thuen didn’t share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.”