Progressive Insurance offers customers the option to plug a device into their cars' OBDII ports to track their driving and lower their insurance rates. Unsurprisingly, it's about as secure as a Tiffany necklace left on a sidewalk. But that doesn't mean the dongle will turn your car into a killer robot.
Over two million Progressive customers have opted in to the program that allows the insurance company to track driving habits using the Snapshot-branded OBDII dongle. Flo's minions use the data to determine if the driver can get a lower insurance rate based on the information sent from the dongle to Progressive's servers over a data connection embedded in the device.
Corey Thuen, a senior researcher with Digital Bond Labs, plugged the Snapshot into his 2013 Toyota Tacoma and tore through the hardware and software, reverse-engineering it to see what kind of security was used to encrypt information between the device and Progressive's computers. The answer: pretty much nothing.
"Essentially, there was no security, no encryption," Thuen's boss, Digital Bond Labs founder and CEO Dale Peterson told Jalopnik. "It's insecure by design."
The dongle doesn't use any kind of network authentication to encrypt the data, the firmware isn't signed or validated, and it uses the infamously insecure FTP – the same protocol to upload and download files from your home server – to keep the bits flowing.
"Secure coding practices – the ways of writing code to expose bugs and vulnerabilities, things you learn at your first [computer security] course – aren't there," says Peterson.
Thuen and Digital Bond Labs focused on that connection between the dongle and the servers. The concern is that malicious parties could either intercept the signal between the device and Progressive or hack into the insurance company's network to snag driving data. But the larger concern is that the OBDII port has access to the car's onboard computers – the CAN bus – which controls damn near everything in the car.
It's a vulnerability other researchers have explored in the past, but with varying levels of success. In most cases, it just results in a series of fear mongering, bullshit headlines about remote-controlled death robots out to kill you, grandma, and kittens. And in nearly every case, hackers would have to know exactly what kind of encryption is used on that specific model, hack it, and gain access to the CAN bus system, almost always through physical access to the car.
Despite more alarmist crap about Thuen's research, that wasn't what he or Digital Bond Labs were after. "What that dongle can do the car, we didn't touch that," says Peterson.
Instead, it's more proof that security in the era of the Internet of Things – where everything you own is somehow connected – is woefully lacking.
"They can't just be handing people these devices without any thought of the security," says Peterson. "You can take complete control of that dongle and you shouldn't be able to do that."
The safety of our customers is paramount to us. We are confident in the performance of our Snapshot device – used in more than two million vehicles since 2008 – and routinely monitor the security of our device to help ensure customer safety.
However, if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited. While it's unfortunate that Mr. Thuen didn't share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.