Corey Thuen has been braving the snow and sub-zero temperatures of Idaho nights in recent weeks, though any passerby would have been perplexed by a man, laptop in hand, tinkering with his aptly-named 2013 Toyota Tundra at such an ungodly hour.
He hasn’t been doing repairs, however. Quite the opposite. Thuen, a security researcher at Digital Bond Labs who will present his findings at the S4 conference in a talk titled Remote Control Automobiles, has been figuring out how he might hack the vehicle’s on-board network via a dongle that connects to the OBD2 port of his pickup truck. That little device, Snapshot, provided by one of the biggest insurance providers in the US, Progressive Insurance, is supposed to track his driving to determine whether he deserves to pay a little more or less for his cover. It’s used in more than two million vehicles in the US. But it’s wholly lacking in security, meaning it could be exploited to allow a hacker, be they in the car or outside, to take control over core vehicular functions, he claims.
But he hasn’t gone as far to actually mess with the controls of his Toyota. By hooking up his laptop directly to the device he says he would have been able to unlock doors, start the car and gather engine information, but he chose not to “weaponise” his exploits, he told Forbes. “Controlling it wasn’t the focus, finding out if it was possible was the focus.”
He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever.”
The researcher noted that for a remote attack to take place, the concomitant u-blox modem, which handles the connection between Progressive’s servers and the dongle, would have to be compromised too. Such systems have been exploited in the past, as noted in a paper here from Ralf-Philipp Weinmann, from the University of Luxembourg.
It’s long been theorised that such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes
Regardless of the steps needed for a successful attack, it’s apparent such dongles are insecure, posing a genuine risk to people’s lives, Thuen added. “I suspected that these dongles were built insecurely, and I was correct. The technology being used in them is outdated and vulnerable to attack which is highly troubling considering it is being used to remotely access insecure by design vehicle computers,” he said. “A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb.
“Also, there is the attack vector of Progressive backend infrastructure. If those systems are compromised, an attacker would have control over the devices that make it out to the field.
“In simple terms, we have seen that cars can be hacked and we have seen that cell comms can be hacked.”
Privacy of data within cars is also a growing concern, one highlighted by Thuen’s research. BMW this week said it had repeatedly been asked by technology companies and advertisers to hand over the data their cars generated, but it has refused to give in to those requests. Thuen said it would be possible to intercept data passed between the dongles and the insurance providers’ servers, likely including location and performance information, as they “do nothing to encrypt or otherwise protect the information they collect”.
Xirgo had not responded to Forbes requests for comment. Thuen said he’d tried to disclose his findings to Xirgo but got no response. Progressive said it hadn’t heard from Thuen, but handed this comment via email to Forbes: “The safety of our customers is paramount to us. We are confident in the performance of our Snapshot device – used in more than two million vehicles since 2008 – and routinely monitor the security of our device to help ensure customer safety.
“However, if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited. While it’s unfortunate that Mr. Thuen didn’t share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.”
The findings landed on the same day as the World Economic Forum’s Global Risks 2015 report warned about the increasing potential for digital attacks on cars. “There are more devices to secure against hackers, and bigger downsides from failure: hacking the location data on a car is merely an invasion of privacy, whereas hacking the control system of a car would be a threat to life. The current internet infrastructure was not developed with such security concerns in mind,” the report read.
One of the report’s contributors, John Drzik, president for global risk and specialties at insurance giant Marsh, told Forbes the insurance industry hasn’t quite grasped the problem of vehicular digital security.
Drzik said insurance companies could actually provide much of the impetus required to secure cars from hackers. They could, for instance, develop standards for being insured against such cyber risks or within the technologies, he added.