2,000,000 vehicles already have the Progressive Snapshot plugged into them via the OnBoardDiagnostic(OBD)-II Port. Digital Bond Labs described at a security conference last week how the Snapshot could be used to hack into some vehicles’ onboard networks. Testing was limited to see if it could be done, not extensive to what all could be done.
It was discovered that the Snapshot does not authenticate to the cellular network, nor encrypt its traffic; it uses unencrypted FTP, the device’s firmware isn’t signed or validated, and there’s no secure boot function. The device runs on CANbus, the same standard that processes the inner workings of the vehicle’s airbags, brakes, cruise control, transmission, etc.
If someone wanted to spoof a cell tower, they could be able to conduct a man-in-the-middle attack. If the correct Progressive servers ever got hacked, hackers could own any affected cars, leaving 2,000,000 zombie cars on the roads today! A zombie is a computer connected to the Internet that has been compromised by a hacker, computer virus or Trojan horse and can be used to perform malicious tasks of one sort or another under remote direction.
Progressive issued a statement saying that the researcher should have notified Progressive. The researcher who found this, named Corey Thuen, tried to notify the Snapshot manufacturer, but got no response.
Want to learn how to hack cars?