No, Flo! Progressive's Car Dongle May Put Millions at Risk
An animated version of Flo advertises the Snapshot ODB-II dongle. Credit: Progressive
UPDATE: Tom's Guide has received a statement from Progressive regarding the exploit:
"We are confident in the performance of our Snapshot device — used in more than two million vehicles since 2008 — and routinely monitor the security of our device to help ensure customer safety. To be clear, the researcher was not able to control any vehicle functions and we do not have evidence that anyone else has been able to do so. However, we take security very seriously and intend to investigate the matter thoroughly."
Computers and mobile devices are relatively secure, if you know what you're doing. But remember: If it has an operating system, it's open to exploits.
Progressive, an American company that offers auto insurance and airs funny ads starring a woman named "Flo," lets its customers use a dongle plugged into their cars to transmit data in exchange for discounts on premiums. Unfortunately for those customers, the dongle may have no security protocols whatsoever and, if so, could broadcast their data to just about anyone.
IT-security online magazine Dark Reading published information from last week's S4x15 Conference in Miami, where researcher Cory Thuen of Digital Bond in Sunrise, Florida first shared information about the exploit.
The dongle in question is a device called the Snapshot, and it plugs into a car's OBD-II (onboard diagnostics) port. Every American car and most foreign cars made since 1995 possess OBD-II technology, which tracks a car's state of maintenance and lets mechanics access this information.
The Snapshot gathers OBD-II and transmits it back to Progressive. If a driver keeps his or her car in good shape and drives safely, Progressive grants insurance discounts. The process sounds simple, but Progressive isn't the only entity that can get its hands on this information. While the dongle transmits information, Thuen said it has no kind of authentication or encryption whatsoever.
About two million drivers currently use the Snapshot, and other companies use similar devices — Thuen told Dark Reading's Kelly Jackson Higgins he tested Progressive's device only because the company offered a free trial.
A potential attacker having access to your mileage and maintenance records may not sound like much of a problem, but the OBD-II also ties into the CAN bus: a standardized automobile computer network that links systems like airbags, power steering and parking brakes.
While there is no known malware that targets these systems, it is not inconceivable that a very clever hacker could use the Snapshot as a point of entry to remotely open a car's windows, hijack the speakers or even cut power steering during transit. ODB-II ports, which often can be found under the dashboard, in the center console or in the glove box (here's how to find yours) transmit information both ways.
If you do use a Snapshot or something like it, you may not have to toss it out of the car and run over it just yet, though. A team of researchers exposing a flaw and attackers taking advantage of it are two very different things, and there's no evidence that the latter has occurred yet. Still, you may want to contact Progressive and let the company know what you think.
- Free vs. Paid Antivirus: Avira vs. Bitdefender
- How to Survive a Data Breach
- Best Antivirus Software and Apps