Insurance Company Dongles Don't Offer Much Assurance Against Hacking

According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle: It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. ... He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies basically it uses no security technologies whatsoever.”

Re:Spoofing!

[AK+Marc]

yeah, it's called "gasoline".

And they don't work. If you are running rich, you need an oxygenation. If you are running lean, you need an octane booster. They are nearly opposite, so you don't get both in one. So you need to know the problem before you toss in an additive.

Re:Spoofing!

[AmiMoJo]

Not all manufacturers build their cars that. Some have an OBD-II bridge between the port and the main bus that makes the port read only except for a few very specific commands like resetting error codes. That's why if you look at those videos of people hacking a Prius on YouTube they have dismantled the entire dashboard. They had to get to the segmented parts of the bus, the diagnostic port was not enough to screw with anything interesting.