SoylentNews is people
SoylentNews
An electronic dongle used to connect to the onboard diagnostic systems of more than two million cars and trucks contains few defenses against hacking, an omission that makes them vulnerable to wireless attacks that take control of a vehicle, according to published reports.
US-based Progressive Insurance said it has used the SnapShot device in more than two million vehicles since 2008. The dongle tracks users' driving to help determine if they qualify for lower rates. According to security researcher Corey Thuen, it performs no validation or signing of firmware updates, has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols. SnapShot connects to the OBDII port of Thuen's 2013 Toyota Tundra pickup truck, according to Forbes ( http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/ ). From there, it runs on the CANbus networks that control braking, park assist and steering, and other sensitive functions.
http://arstechnica.com/security/2015/01/wireless-device-in-two-million-cars-wide-open-to-hacking/
(Score: 3, Interesting) by yarp on Thursday January 22 2015, @09:00AM
The attack surface is thankfully quite small at the moment (requires setting up a fake cell, finding a vulnerable dongle, coaxing it to download malware) but this highlights that CANbus was designed to be a closed system with scant (or no) regard given to security. This was fine when the only external access was connecting a fault code reader but with the trend to get everything connected it could become akin to leaving a box on the internet with telnet open and a blank root password. Except that cars are boxes that might bit more dangerous to have respond to arbitrary commands.
There are some interesting reports from 2010/2011 that give more information on the subject of vehicle security: http://www.autosec.org/publications.html [autosec.org]