[ISN] Hacker Says Attacks On ‘Insecure’ Progressive Insurance Dongle In 2 Million US Cars Could Spawn Road Carnage

http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/ By Thomas Fox-Brewster Forbes Staff 1/15/2015 Corey Thuen has been braving the snow and sub-zero temperatures of Idaho nights in recent weeks, though any passerby would have been perplexed by a man, laptop in hand, tinkering with his aptly-named 2013 Toyota Tundra at such an ungodly hour. He hasn’t been doing repairs, however. Quite the opposite. Thuen, a security researcher at Digital Bond Labs who will present his findings at the S4 conference in a talk titled Remote Control Automobiles, has been figuring out how he might hack the vehicle’s on-board network via a dongle that connects to the OBD2 port of his pickup truck. That little device, Snapshot, provided by one of the biggest insurance providers in the US, Progressive Insurance, is supposed to track his driving to determine whether he deserves to pay a little more or less for his cover. It’s used in more than two million vehicles in the US. But it’s wholly lacking in security, meaning it could be exploited to allow a hacker, be they in the car or outside, to take control over core vehicular functions, he claims. It’s long been theorised that such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. But he hasn’t gone as far to actually mess with the controls of his Toyota. By hooking up his laptop directly to the device he says he would have been able to unlock doors, start the car and gather engine information, but he chose not to “weaponise” his exploits, he told Forbes. “Controlling it wasn’t the focus, finding out if it was possible was the focus.” […]