Hacking Cars through Insurance Dongles

Car owners are typically trying to save money on their car insurance whenever possible. Car insurance companies, on the other hand, are always seeking ways to find out just which of their customers can be trusted more. To the benefit of both parties, Progressive Insurance started using a dongle that attaches to the diagnostic port of your car, and monitors a number of different aspects of the user’s driving habits, location, and other data, which are remotely sent to the Progressive Insurance servers.

Recently, Corey Thuen, a security researcher at Digital Bond Labs, has discovered that these devices, which are in use on over 2 million cars in the United States alone, are very vulnerable to attacks. He was able to connect his laptop to the device directly and says he could have gained access to certain features and would have been to perform actions such as locking and unlocking the doors, starting the car, collect information about the car, and more. He chose not to, however. His point was to see if it was possible. In doing so, he discovered many insecure elements of the device:

“The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever.” He adds that “a skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb.” And that, to say the least is quite concerning.

In conclusion, the idea of having such a dongle installed in your car to monitor the driving habits of the users seeking to lower their insurance rates is a good one, but companies like Progressive need to make sure they are aware of the risk they put their drivers in by installing practically completely insecure, remotely accessible device into their cars. It’s one thing to collect driving information and another to gain remote control of someone’s car and possibly endangering their lives. As long as this issue is not taken care of, I think it’s irresponsible for insurance companies to continue this practice. After all, we know already that anything that can be exploited, will be exploited at some point in time.