SoylentNews is people
SoylentNews
An electronic dongle used to connect to the onboard diagnostic systems of more than two million cars and trucks contains few defenses against hacking, an omission that makes them vulnerable to wireless attacks that take control of a vehicle, according to published reports.
US-based Progressive Insurance said it has used the SnapShot device in more than two million vehicles since 2008. The dongle tracks users' driving to help determine if they qualify for lower rates. According to security researcher Corey Thuen, it performs no validation or signing of firmware updates, has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols. SnapShot connects to the OBDII port of Thuen's 2013 Toyota Tundra pickup truck, according to Forbes ( http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/ ). From there, it runs on the CANbus networks that control braking, park assist and steering, and other sensitive functions.
http://arstechnica.com/security/2015/01/wireless-device-in-two-million-cars-wide-open-to-hacking/
(Score: 4, Informative) by N3Roaster on Thursday January 22 2015, @03:47AM
While I wouldn't dismiss the seriousness of this (as Progressive unfortunately seems to be doing at the moment), the source of the two million number in both articles seems to be Progressive's claim that the device in question has been used in two million devices since 2008. The number of vehicles currently vulnerable through these devices is likely much lower as the way the SnapShot program works is Progressive sends you the dongle, you leave it plugged into your vehicle for a few months, and then you send it back. Given the time frame in question, the number of vehicles presently at risk is probably an order of magnitude lower.
Typica - Free software for coffee roasting professionals. [typica.us]
(Score: 2) by dyingtolive on Thursday January 22 2015, @04:07AM
It's all fun and games until some misanthrope sends someone else's car barreling into a ditch with their phone, I guess.
...well, okay, that damn near happens all the time already, I guess.
Don't blame me, I voted for moose wang!
(Score: 1) by tftp on Thursday January 22 2015, @07:12AM
Yes, but with the driver's own phone.
(Score: 3, Interesting) by yarp on Thursday January 22 2015, @09:00AM
The attack surface is thankfully quite small at the moment (requires setting up a fake cell, finding a vulnerable dongle, coaxing it to download malware) but this highlights that CANbus was designed to be a closed system with scant (or no) regard given to security. This was fine when the only external access was connecting a fault code reader but with the trend to get everything connected it could become akin to leaving a box on the internet with telnet open and a blank root password. Except that cars are boxes that might bit more dangerous to have respond to arbitrary commands.
There are some interesting reports from 2010/2011 that give more information on the subject of vehicle security: http://www.autosec.org/publications.html [autosec.org]