

Attacks on 'Insecure' Progressive Insurace Dongle Could Spawn Road Carnage - thealexknapp
http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/

======
imroot
This is something that I've toyed around with a CANbus hacker called CANiTM
(which is open source hardware) -- while I have Nationwide Insurance, I did
call up Progressive and ask for a snapshot; they sent one to my house, and I
was able to save me driving around a farm at reasonable speeds.

I then tweaked the CAN bus parameters a bit -- making the VIN number match the
VIN of my current vehicle, and replaying that a few times during the trip so
that it would seem like I'm a very patient, slow driver, who drives less than
5 miles a day at 8:30 and at 5:15, monday through Friday, and then sent it
back to Progressive at the end of my 30 day trial.

Progressive quoted me an insanely small number for my auto insurance --
probably around $22/month -- which is about half of what Nationwide charges me
for the same insurance.

It's my understanding that Progressive now is collecting GPS data with their
snapshot tool, so I'm not sure that the same attack/replay would work for
their system.

~~~
oroup
The interesting question is if you obtained insurance this way (almost
certainly fraud IMO) and got in a big expensive wreck, would the insurance
company really be on the hook to pay your costs? (And would they figure it
out?) Not a bet I'd like to take...

~~~
Ricapar
It's about intent. If they can prove you manufactured data you fed to the
dongle, then you're probably in for some trouble.

However, you can have a similar scenario where maybe I work at an office 5
minutes from home over the time I was carrying the dongle, I quit and go to a
job 60 mins from home that crosses a few nasty neighborhoods, etc.

Is it my burden to report this to the insurance company so they can jack my
rates because my risk rating surely went up?

Right now.. it likely isn't. I fear for the day when it is.

------
jcr
An interesting aside in all this is potentially getting a free cellular data
modem. Progressive provides a free 30 day trial of "Snapshot" according to
their FAQ [1], so it's possible to get the device itself. Inside the device is
(supposedly) a cellular data modem by u-blox [2] according to the Forbes
article.

Much hilarity and havoc could be wrought if you can get the modem working
outside of the snapshot device. Would you like to be the poor sysadmin at
Progressive who notices that one Snapshot enabled car keeps trolling Homeland
Security and downloading hermaphrodite dwarf porn?

[1] [http://www.progressive.com/auto/snapshot-common-
questions/](http://www.progressive.com/auto/snapshot-common-questions/)

[2] [http://www.u-blox.com/en/wireless-
modules.html](http://www.u-blox.com/en/wireless-modules.html)

~~~
RyJones
The original cellular Kindles are popular for shucking and pulling the sim to
use elsewhere.

------
ipsin
_We are confident in the performance of our Snapshot device – used in more
than two million vehicles since 2008 – and routinely monitor the security of
our device to help ensure customer safety._

There's something about the phrasing of PR statement that really added
credibility to the Thuen's claim. Highlighting that it's a seven year old
system, or that you "routinely monitor the security of the device" doesn't
have anything to do with the actual security of the system.

"Routine monitoring" sounds worthless, because they probably don't mean
"routinely dumping the firmware, physically, from the device".

In any event, we'll see soon whether this is a legitimate CANbus bridge, and
if so, all the previously-released exploits come into play.

~~~
a3n
Security through declaration. I'm sure Target would have responded similarly
prior to their POS breach that exposed millions of credit card details. "We
are confident in the performance of our POS terminals - used in more than 5
zillion transactions since 2008 - and routinely monitor the security of our
POS terminals to help ensure customer confidence."

Unfortunately they weren't routinely monitoring the security of their HVAC
systems, which is partly how the attackers gained access to the POS terminals.

And automotive systems like these will eventually be breached via the
insurance companies' HVAC systems, or something equally and superficially non-
related, or by the dealer's unrelated systems, or by drivers' smartphones,
otherwise known as drivers' internet connected and therefore compromised
computers, or even drivers' music-containing USB thumbdrives (one of which is
plugged in to my vehicle's sound system right now).

These days a car is merely a computer, or collection of computers, with
wheels. Now that they're networked, either in real time or periodically, the
fun begins.

------
kw71
I think it's pretty ridiculous to connect motor vehicle gateways, even
indirectly, to a network. The Toyotas which can be started with canbus packets
can also be shutdown. The diagnostic test routines are not something that I
want a troublemaker or enemy to send to my car at any time.

There is no way for the carmakers to secure the applications that use these
vehicle networks. Most of them are large enterprises with thousands of sites
and some contractors are global enterprises too. Not only do service tools
(diagnosis/firmware) get widely leaked, but manufacturing and development
tools too: huge enterprises will get their vpn's hacked and their employees
will be subject to laptop theft. Since the industry cannot keep a secret, it
will never be able to provide security.

~~~
TazeTSchnitzel
The way to secure it would be one-way communications, right? Design a system
with separate data-collection and data-transmission components, and a
completely read-only one-way data channel between them.

~~~
mrpippy
Right, and/or just make the connection to the vehicle bus read-only _in
hardware_. i.e. leave the CAN controller's TX line disconnected. I can't see a
reason why a device like this would need to transmit on CAN.

~~~
tonyarkles
Polling for specific data possibly? I don't personally know what data
typically exists on CAN if you monitor it passively, but it seems reasonable
that you might need to ask devices on the network for the data you're looking
for.

~~~
kw71
This. The legislated application layer which must be present requires that the
control module be addressed and specific data requested.

While you might have experience with a modern car that broadcasts some of the
data interested by the dongle, this is not universal. Where this happens it
may be on a different network segment than what you access physically on the
OBD2 connector. There may or may not be a gateway between networks in the car,
and it may or may not need to be activated, which is not part of the universal
application mandated by CARB/EPA.

In addition the dongle may be interested in some information that may not be
broadcast. For instance the instrument cluster should receive periodic updates
about the current road speed. However it's less likely that something I'd be
interested in if I were an actuary is broadcast: the throttle position!

While the universal CARB/EPA application cannot generally command control
modules, this dongle has access to the PHY and could send packets that
correspond the manufacturer-specific applications that could be dangerous
while a motor vehicle is in operation.

With the UART based and PWM protocols that preceded CAN, there were some
nuances with the manufacturer-specific protocols on those PHYs that did not
line up with the CARB/EPA mandate, so the more generic gateways will not be
able to construct these kinds of messages. Now, everything is plain CAN, there
is nothing strange about it like "tickle the auxillary line with the
destination address at 5 bps to wake up that module." Any CAN node will do.

------
ytNumbers
Looks like it only takes 66 years for science fiction movies to become
reality. The Batman and Robin movie serials of 1949 had an evil villain who
had the technology to take control of all vehicles within a 50 mile radius.
Today, we're darn close to Doctor Evil going worldwide with this. Where's
Batman and Robin when you need them?

[http://www.imdb.com/title/tt0041162/plotsummary?ref_=tt_ql_6](http://www.imdb.com/title/tt0041162/plotsummary?ref_=tt_ql_6)

------
jacquesm
Title fix please: insurace->insurance.

------
millstone
Does the usage dongle actually install unsigned firmware updates received
over-the-air? That's indefensible if so, but the article doesn't say.

------
metafour
I'm surprised he hasn't rearranged his garage to fit his truck in so he can do
his testing from there. It's hard to tell for certain from the picture but it
looks like it should fit height-wise.

~~~
seekingtruth
I think this is the kind of guy who has better uses for his garage than
vehicle storage.

------
drivingmenuts
Does anyone find it odd that insurance companies can demand this kind of
information?

I pay them a fee (not willingly either - it's required by state law) to
provide coverage for me in case of an accident. I tell them how much coverage
I want and pay the amount required for that.

Seems to me that should be the end of it, as with any service.

~~~
uptown
It's currently an opt-in choice by drivers. I fear the day all cars are
connected, and it's no longer a choice, but a mandate by insurance companies.
Cars are already being required to include "black boxes" to record data for
use in accidents. I absolutely anticipate more insurance companies to push for
access this type of data as part of the terms of covering drivers.

~~~
vaadu
My port is already being used for my own stats gathering. So they need to
supply a hub or splitter.

------
ianpenney
Eric Evenchick (@ericevenchick) did a great talk called "Hopping on the CAN
Bus" at BSidesTO2014.

[https://www.youtube.com/watch?v=qPIscmaIt8U&list=PL02T0JOKYE...](https://www.youtube.com/watch?v=qPIscmaIt8U&list=PL02T0JOKYEq5B3Wq7B-RdbTJ2iQjOWAdI)

------
aaronbrethorst
I wonder what this means for Metromile
([https://www.metromile.com](https://www.metromile.com)). I drive 1-2 times
per week, and I'd considered switching from Geico to Metromile for the cost
savings, but this gives me real pause.

------
vaadu
What is the best ODB2 device on the market to use with my Android?

------
sotoseattle
The title alone is worth a point: Violence, fear, Dongles (?), satanic Spawn,
and a finale of Carnage.

