A dongle installed by an American insurance company in 2 million cars of its customers allows hackers to partly take control over the car. The dongle is installed to track driving behavior and using its data the insurance company can decide whether the driver has to pay higher or lower fees.
Security researcher Corey Thuen from Digital Bond discovered that the dongle called Snapshot is hardly secured. An attacker is able to get access to the car's network and this way is able to unlock doors, start the car and gather engine information. For his research, Thuen analysed the firmware of the dongle and found that it doesn't check firmware updates, doesn't do a secure boot and that the dongle doesn't use encryption, authentication or any technology to mitigateĀ attacks.
"Basically it uses no security technologies whatsoever", according to the researcher in an interview with Forbes.
"I suspected that these dongles were built insecurely, and I was correct. The technology being used in them is outdated and vulnerable to attack which is highly troubling considering it is being used to remotely access insecure by design vehicle computers," he said. "A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb."
To get remote access to the dongle an attacker can target the modem. According to Thuen also the backend infrastructure can be attacked, when those systems are compromised the attacker can get access to the dongle. Insurance company Progressive Insurance states the security of its customers is important to them and therefore regularly checks the security of the dongle.
