Speaking at the S4 conference in Miami last week, Digital Bond Labs researcher Corey Thuen detailed how US-based Progressive Insurance has been handing out insecure USB dongles to its customers, with these vulnerable to data theft and a remote access attack, where hackers could potentially access some of a car's functions.
Thuen came to this conclusion after reverse-engineering the firmware of the ‘Snapshot' dongles, which are manufactured by California-based Xirgo Technologies and inserted into a car's OBD2 port to track driving habits, such as speed and location. This enables insurers to assess the driver's insurance risk and adjust their insurance premiums accordingly.
Speaking to Forbes, Thuen explained how he connected his laptop physically to the device, and said that the firmware on the dongle is ‘minimal and insecure'.
"It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever,” he said.
“I suspected that these dongles were built insecurely, and I was correct. The technology being used in them is outdated and vulnerable to attack which is highly troubling considering it is being used to remotely access insecure by design vehicle computers. A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb."
Thuen says that – for a remote access attack to happen – attackers would also have to compromise the U-blox modem – which is used to manage the connection between the dongle and Progressive's servers – and further warned that another way into the vehicle could come via breaching the company's own servers.
Thuen contacted Xirgo Technologies to share this information but didn't hear back from the company, although the firm has confirmed the dongle is in use in two million cars. Progressive Insurance says that is willing to look at “credible evidence” about a potential vulnerability in the devices they use.
"We are confident in the performance of our Snapshot device and routinely monitor the security of our device to help ensure customer safety," the firm said.
Ken Munro, founder and partner at Pen Test Partners, recently managed to hack into the BMW i3 and i8 cars by using the iRemote mobile application and he said that this was another example of technology being rushed to market, without security front of mind.
“This yet another example of technology being rushed to market without proper consideration of its security,” he told SCMagazineUK.com.
“ODB2 dongles have been available for years on the open market, primarily for diagnostics, but also for modification of vehicle functions. For example, features enabled on high-end models are sometimes simply disabled in lower end versions. Hence it's possible to enable, for example, launch control modes, sport modes and much more, depending on the vehicle and length that you're prepared to go to.
“Obviously, the user does this voluntarily, fully in the knowledge of warranty-voiding actions and potential to ‘brick' their car. However, in the case of the Xirgo monitor, the user could be unwittingly making their car less secure. Signed firmware and updates are a must, underlined by the BadUSB issue. Secure boot is essential.”
Munro added that Xirgo might be able to update the firmware over-the-air (OTA) providing the device has enough bandwidth. “That might resolve the problem, but will take a lot of effort," he added.
David Emm, principal security researcher at Kaspersky Lab, said in an email to journalists: “This is just another example of how, as our cars become increasingly connected, we open the door to threats that have long existed in the PC and smartphone world. As well as gaining remote access to the vehicle, by compromising USB dongles cyber-criminals could potentially exploit features such as self-parking, active lane control, pre-collision systems and adaptive cruise control, all of which require some level of communication between a sensor and the brakes, acceleration or steering, usually over Bluetooth or some other radio signal.
“As vehicles become increasingly connected and autonomous, we can only expect to see more attacks of this nature. As a result, everyone involved in the creation of a connected vehicle – including policy makers - needs to work together to ensure these points of weakness are dealt with, and security implemented, before connected vehicles make it onto our drives and onto our roads. At the same time, owners of next generation cars must wake up to the fact that threats specific to the computer world now apply to connected vehicles and take these risks into account.”