Corey Thuen, a security researcher at Digital Bond Labs says that the Snapshot is vulnerable to hacking and using the hacked Snapshot, a potential hacker can remotely hijack personal details of approximately 2 million car users in the United States who buy car insurance from Progressive Insurance. In extreme cases it can even be used to hijack the car itself says Thuen. Thuen will present his findings at the S4 conference in a talk titled Remote Control Automobiles about the Snapshot vulnerabilities. Thuen says the problem lies in Snapshot extremely insecure and vulnerable firmware,”The firmware running on the dongle is minimal and insecure,” Thuen told Forbes. Thuen found out that Snapshot connects the vehicle’s onboard network via the OBD2 port. This provides opportunity for cyber criminals to hack Snapshot and allow the would be hacker, be they in the car or outside, to take control over core vehicular functions, he claims. Thuen says that it has been theorized by many cyber security experts that such usage-based insurance dongles would be a viable attack vector, but now his exploit proves the same to be true. He gives reasons for his success because earlier hypotheses of attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. Snapshot is manufactured by technology licensed from Xirgo Technologies and is completely lacking security department, says Thuen, “It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever.” The researcher told Forbes that for a remote attack to take place, the concomitant U-Blox modem, which handles the connection between Progressive’s servers and the dongle, would have to be compromised too. Thuen said that he didnt not ‘weaponise’ his exploit but says that a dedicated cyber criminal or gang with more complex infrastructure can use this threat vector for bigger attacks and even cause fatalities. Forbes said that SnapShot manufacturer Xirgo Technologies did not respond to their queries about the vulnerabilities in the device, where Progressive Insurance said that it was not informed about the hack or the talk Thuen will deliver. It said that it welcomed any input for security the vulnerabilities in the dongle.
