An electronic dongle used to connect to the onboard diagnostic systems of more than two million cars and trucks contains few defenses against hacking, an omission that makes them vulnerable to wireless attacks that take control of a vehicle, according to published reports.
US-based Progressive Insurance said it has used the SnapShot device in more than two million vehicles since 2008. The dongle tracks users' driving to help determine if they qualify for lower rates. According to security researcher Corey Thuen, it performs no validation or signing of firmware updates, has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols. SnapShot connects to the OBDII port of Thuen's 2013 Toyota Tundra pickup truck, according to Forbes ( http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/ ). From there, it runs on the CANbus networks that control braking, park assist and steering, and other sensitive functions.
http://arstechnica.com/security/2015/01/wireless-device-in-two-million-cars-wide-open-to-hacking/
(Score: 3, Insightful) by GungnirSniper on Thursday January 22 2015, @03:40AM
How very progressive of them. How long will it take before we're given the "choice" of using these devices or paying double or worse? Then the working poor will have to take the privacy violation just to drive.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 3, Interesting) by bob_super on Thursday January 22 2015, @05:06PM
It won't be long before you can't drive without one of these, and the cops will just send you tickets automatically.
Why bother with radars and speed traps when you can mandate self-reporting?
(Score: 4, Informative) by N3Roaster on Thursday January 22 2015, @03:47AM
While I wouldn't dismiss the seriousness of this (as Progressive unfortunately seems to be doing at the moment), the source of the two million number in both articles seems to be Progressive's claim that the device in question has been used in two million devices since 2008. The number of vehicles currently vulnerable through these devices is likely much lower as the way the SnapShot program works is Progressive sends you the dongle, you leave it plugged into your vehicle for a few months, and then you send it back. Given the time frame in question, the number of vehicles presently at risk is probably an order of magnitude lower.
Typica - Free software for coffee roasting professionals. [typica.us]
(Score: 2) by dyingtolive on Thursday January 22 2015, @04:07AM
It's all fun and games until some misanthrope sends someone else's car barreling into a ditch with their phone, I guess.
...well, okay, that damn near happens all the time already, I guess.
Don't blame me, I voted for moose wang!
(Score: 1) by tftp on Thursday January 22 2015, @07:12AM
Yes, but with the driver's own phone.
(Score: 3, Interesting) by yarp on Thursday January 22 2015, @09:00AM
The attack surface is thankfully quite small at the moment (requires setting up a fake cell, finding a vulnerable dongle, coaxing it to download malware) but this highlights that CANbus was designed to be a closed system with scant (or no) regard given to security. This was fine when the only external access was connecting a fault code reader but with the trend to get everything connected it could become akin to leaving a box on the internet with telnet open and a blank root password. Except that cars are boxes that might bit more dangerous to have respond to arbitrary commands.
There are some interesting reports from 2010/2011 that give more information on the subject of vehicle security: http://www.autosec.org/publications.html [autosec.org]
(Score: 0) by Anonymous Coward on Thursday January 22 2015, @05:23AM
Can I run Linux on it then?
(Score: 0) by Anonymous Coward on Thursday January 22 2015, @06:20AM
I recognize that this is something you *attach* to your car, but this is why I drive a '96. It doesn't have built in devices whose security design depends on the Goodness of People. Too many cars do, and for 2M vehicles to have been exposed to this sort of security nightmare is pretty obscene.
(Score: 2) by paulej72 on Thursday January 22 2015, @02:56PM
If it is a '96 then it does have these systems. 96 was the first year of the mandated ODB II connector, for cars sold in the US (ignore me if you live elsewhere). So it might be possible to screw with your car.
Team Leader for SN Development
(Score: 5, Insightful) by novak on Thursday January 22 2015, @10:06AM
This is exactly why computerizing and connecting everything is a terrible idea. This is why "the internet of things" (no capitalization deserved) is a terrible idea. Since this is on a car and could quite literally kill people, it's going to be fixed. Want to bet that the company that sold you your thermostat a decade ago and since went out of business will be able to provide the same service?
novak