Tuesday, January 20, 2015

Insurance Company's techno snitch entirely lacking in security

And when I say "entirely", I mean entirely:
Thuen, a security researcher at Digital Bond Labs who will present his findings at the S4 conference in a talk titled Remote Control Automobiles, has been figuring out how he might hack the vehicle’s on-board network via a dongle that connects to the OBD2 port of his pickup truck. That little device, Snapshotprovided by one of the biggest insurance providers in the US, Progressive Insurance, is supposed to track his driving to determine whether he deserves to pay a little more or less for his cover. It’s used in more than two million vehicles in the US. But it’s wholly lacking in security, meaning it could be exploited to allow a hacker, be they in the car or outside, to take control over core vehicular functions, he claims.


It’s long been theorised that such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes.
This is my shocked face.  "Wholly lacking in security" is no exaggeration:
“The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever.”
Security wasn't an afterthought; it wasn't thought of at all.  Other than that, it's awesome.

Me?  None of those are coming anywhere near my cars.

4 comments:

Expatriate Owl said...

Progressive Insurance? Isn't that leftie bankroller Peter Lewis's outfit?

Ken said...

Yes.

Eric Wilner said...

Y'know, if I were designing a bus sniffer, I wouldn't give it the ability to transmit on the bus. There might be privacy issues, but there'd be no opportunity for sabotage, no matter how bad the firmware was,
Are these clowns pushing a sniffer that's supposed to listen to the traffic going by, but that has the bonus capability of injecting traffic onto the bus and messing up the systems that belong on the bus?
Sometimes I think there are no grown-ups in the business at all.

Weetabix said...

Yikes! If I get an OBD-II dongle for my own monitoring with the Turbo app, am I similarly at risk?