back to article Dongle bingle makes two MEELLION cars open to exploit

A bluetooth dongle used to track driver habits for insurance purposes has been hacked potentially allowing cars to be remotely hijacked, researcher Corey Thuen says. The attack targeted the SnapShot dongle offered by US company Progressive Insurance and used by two million American drivers which collected vehicle location and …

  1. LaeMing
    Go

    could result in loss of life

    I hope their product liability insurance is up-to-date!

  2. William Boyle

    Not a chance

    If my insurance company wanted me to install one of these things in my car, I would tell them to go fark themselves! If they insisted, I would take them to court, after I switched to an insurance company who wasn't so stupid!

    1. User McUser

      Re: Not a chance

      To be clear, the monitoring program is optional.

      In exchange for allowing your insurance company to openly spy on you, you get a discount on said insurance. That is, as long as you obey the rules in the monitoring agreement. I'm sure if you speed a lot or do something else they don't like they'll jack your rates right back up.

  3. dan1980
    Unhappy

    And here I was just last week talking about how health insurance providers are trying to bribe people into their information via 'fitness trackers' through offering a discount for doing so.

    Anyone who actually agrees to tell their insurance companies where they are and (often by extension) what they are doing at all times is just plain stupid. Unfortunately, the more people agree to this, the more prevalent it will become and the harder it will be to find policies that provide a good deal without you having to let them track you.

    Before long, you will have governments wanting all this information as a matter of course - not just with a warrant. And they will use the same ridiculous arguments they do now, which amount to:

    "But people give their personal information to Facebook - I don't understand why they wouldn't want us to having it all too."

    It's up to everyone to resist this insidious push from every part of the commercial world for ever increasing amounts of our data.

    One can imagine the ideal consumer:

    • Loyalty cards for every shop
    • 'Rewards' card from the bank
    • Using 'Uber' for taxis
    • Fitness tracker for health insurance
    • Blu-tooth car tracker for car insurance
    • Smart TV hooked up to the Internet and signed into all the services
    • Fills in all the 'warranty' cards and registers all their products
    • Facebook app open on the phone, posting location updates and 'liking' restaurants and shops and products (for a chance to win!)
    • Using phone apps to purchase from vending machines
    • Entering every competition (all I have to do is tell them what I do, how much I earn how often I eat out at restaurants, how much I spend each month on clothes and the ages of my children and I could will a $50 voucher!)

    Imagine how 'relevant' and 'personalised' the 'content' you receive will be! Awesome!

    (And that's just when it's used for the relatively 'benign' purposes of getting you to buy crap and extracting maximum profit from everyone. When that data inevitably finds its way to even less ethical people it becomes extra-awesome.)

    Life is short. Which is just as well because it's also nearly unbearably depressing.

    1. Mark 85

      But..but.. it's the wave the future and the future is here now. It's been in all the papers. :) Yeah, I got hit on that... good driver/low milage and let us track your car for lower rates. Except my car doesn't have anyway for Bluetooth to work. No On-star, etc. The agent suddenly changed tactics and tried to talk me into getting a new car for lower premiums. I wonder how many idiots fall for that. I might have if (bit IF) I needed a new car since their interest rate was like 1% (well below the bank's)..

      But that's the game with the IoT's, give you a seemingly good deal while extracting and monitoring you. I wonder how many people would put up with such tracking and targeting if it was done by the government for, say, a lower tax rate? (I hope NSA doesn't read this... they might talk to Congress.)

      1. Tom 35

        cherry picking

        Right now it's Don't drive much? Safe driver? let us spy on your so we know and get "up to" 30% discount.

        Let the people who would not want the insurance company to know how they drive go to a different company.

        Profit.Sell the data, bonus!

    2. Anonymous Coward
      Anonymous Coward

      Of course if you're someone who wants to avoid detection for any reason then this kind of approach is ideal since it makes it easy to generate a suitable data profile that allows you to merge in with the masses.

    3. Anonymous Coward
      Anonymous Coward

      And here I was just last week talking about how health insurance providers are trying to bribe people into [giving up] their information via 'fitness trackers' through offering a discount for doing so.

      Yup. Our HR department just announced our participation in this "exciting program" from CIGNA. Personally I have no interest in fitness trackers, but if I did, I certainly wouldn't be sending the data to a for-profit corporation.

  4. frank ly

    Outsourcing

    "Progressive Insurance said ...... it would welcome input on identifying the holes."

    Because that's a lot cheaper and easier than doing it properly in the first place.

    Why does the car control system accept inputs from a dongle that anyone can plug in? Why don't they have an output-only port for monitoring? A moment of thought would ......... oh.

    1. Mark 65

      Re: Outsourcing

      Because the port that's there is for mechanics to use. Why go to the extra expense of having a read-only and a read-write port? Seriously, why would the current dual purpose one ever be abused....?

  5. Old Used Programmer

    Of course...if the car you drive doesn't *have* that sort of electronics in it, there is no data to gather.

    1. Anonymous Coward
      Anonymous Coward

      Of course...then they tag your car as "too old" and "high risk" and your premiums shoot through the roof... and of course, all the car insurance people carry this out in order to stay competitive, so your only option is the mass transit station that's over a mile away over hills and other inhospitable terrain in an area known for frequent rain...

      1. BongoJoe

        Blaenau Ffestiniog?

  6. Christian Berger

    Actually that's rather a non-issue here...

    Since those problems are only relevant if you connect the dongle to an actual car... in that case they even advertise that they will track your every move.

    If you use it the way it's intended, on a "car simulator", you should be safe. Never ever connect it to your car. That should be common sense.

    1. Michael Thibault

      Re: Actually that's rather a non-issue here...

      "Car simulator"?! I smell a marketing opportunity.

      1. P. Lee

        Re: Actually that's rather a non-issue here...

        >"Car simulator"?! I smell a marketing opportunity.

        A little box which messes with GPS signals?

        Sounds good to me. Feed it data from google maps and off it (virtually) goes.

        1. Christian Berger

          Re: Actually that's rather a non-issue here...

          "A little box which messes with GPS signals?"

          Doesn't need to be so complex. Those boxes don't have GPS, they are connected to the CAN bus in a car. It should be fairly simple to emulate that.

          1. Anonymous Coward
            Anonymous Coward

            Re: Actually that's rather a non-issue here...

            > "A little box which messes with GPS signals?"

            > Doesn't need to be so complex. Those boxes don't have GPS, they are connected to the CAN bus in a car. It should be fairly simple to emulate that.

            You only need to intercept the speed data from the CAN bus and reduce anything over 30mph by 20% before it gets into the insurance company device. Should be enough to get the best premiums.

    2. Mystic Megabyte

      Re: Actually that's rather a non-issue here...

      I tried programming a car simulator but got a variable wrong. My car is now in 1969 and having a good time at the Woodstock festival.

      On the plus side it's mileage is now minus 41022 :)

    3. usbac Silver badge

      Re: Actually that's rather a non-issue here...

      I've actually been thinking about building one. CAN bus isn't really that complicated. I figure it's only a matter of time until all insurance companies require them (or make rates so high, you can't afford insurance without using one). I would never install such a thing on my car.

      I could move offshore, and sell them on Ebay. I'm really surprised no one has started doing it yet? I would have thought some Chinese company would already be making them? All you need is a simple dongle and some software for the PC.

      1. Christian Berger

        Re: Actually that's rather a non-issue here...

        > All you need is a simple dongle and some software for the PC.

        Actually such dongles are readily available. All you need is a bit of cabling, some resistors for pull-up and termination and off you go. The rest can be done in software.

  7. Robert Helpmann??
    Childcatcher

    Oh No, Flo!

    It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies ... basically it uses no security technologies whatsoever.

    Best. Review. Ever. There is nothing I can add to that. It is simply perfect.

    1. Dan 55 Silver badge
      Mushroom

      Re: Oh No, Flo!

      And it's actually legal for an insurance company to foist something like that onto their customers.

      Isn't there a law against that somewhere, just as there would be if a car more-often-than-not fell to pieces within a year. Or are we all expected to put up with shoddy IoT crap for the next 20 years because politicians have their e-mails printed out for them and have no idea about legislating in this area?

      1. John Tserkezis

        Re: Oh No, Flo!

        "And it's actually legal for an insurance company to foist something like that onto their customers."

        "Isn't there a law against that somewhere,"

        It is legal as long as they state they're doing it. A car hire company got into the shit a couple of years ago when they started issuing speeding "fines" by reading the GPS logs when the vehicle was returned. Never mind the fact a "fine" is a goverment legislated thing with tight restrictions that retard private car hire companies don't have the luxury to hoist on their customers anyway.

        They "fixed" it by burying it in their fine print, and calling a "fee" instead.

        Ahh, the fine print, does it know no limits?

  8. Anonymous Coward
    Anonymous Coward

    So easy to fix...

    This device has no reason what so ever to be transmitting on the CAN bus and the transceiver should be configured so that it is impossible for it to do so:

    1) This would prevent it corrupting the bus if the device where to go faulty (which can also lead to undesirable behaviour);

    2) It would be unable to change anything within the vehicle systems.

    1. Charles 9

      Re: So easy to fix...

      Um...how can it query the bus to get the information it needs if it isn't able to transmit into it?

      1. Anonymous Coward
        Anonymous Coward

        Re: So easy to fix...

        CAN is a broadcast bus (think of it as a distributed memory region). Only one node is permitted to "write" to a location by sending a message with a particular identifier value (unless you get in to the use of more complex higher-level protocols), but any node is permitted to "read" it be receiving messages with that identifier.

        All nodes participating in (active) bus communications transmit, even if it's just to say "received" or "that message was not valid when it got here". However, a device like this (assuming it's directly connected to the CAN bus, which is not always the case if it does via the OBDU connector) does not (and should not) send acknowledge bits, error frames or anything else as it is not part of the design and it's failure modes have not been considered.

    2. deludedrich

      Re: So easy to fix...

      Most of these boxes work by sending OBD2 requests to the ECU for things like road speed, RPM, accelerator position. They combine that with accelerometer and GPS data to come up with some dubious driver style calculation. OBD2 is a request-response protocol so needs CAN BUS to be active.

      However, the vehicle itself normally has a layer of security to prevent people from messing around with things, that's manufacturer and usually model specific, so would be difficult to do any real damage.

      The box supplier should be more worried about people hacking it to send perfect driver style scores thus reducing the insurance premiums.

    3. John Tserkezis

      Re: So easy to fix...

      "This device has no reason what so ever to be transmitting on the CAN bus and the transceiver should be configured so that it is impossible for it to do so:"

      I can see a market for the "old school" hidden lockout switches. You know, the ones that prevent the engine from running till you flip the obscure switch?

      This is the same, but disables the USB port on the dash (or whereever it is) except if you're taking it to the mechanics or such (and they'd probably have access to other ports anyway).

  9. John Robson Silver badge

    Why does it even need CANbus access - would a simple GPS/accelerometer module not cover 99.9% of all requirements??

    1. Charles 9

      GPS accuracy drops when the sky's blocked, and the engine can be disengaged from the drivetrain (neutral/clutch up) which requires access to the tachometer to know. Also, what if the speedometer's not calibrated right?

    2. David Pollard

      Why?

      It's easier to obtain a 'careful driver' score and probably more accurate if information about accelerator position, revs and brake pressure are also available.

    3. Anonymous Coward
      Anonymous Coward

      I think it would be able to create a decent driver profile with just that, you don't need to have access 100% of the time to see what sort of driver someone is for insurance purposes, you just need to know what times they drive, how fast they drive and how erratically.

      They only issue is blocking GPS but the accelerometer should flag up any issues with that, Some people who drive along streets in major cities with large skyscrapers could be stopped from using that device due to lack of GPS signal but they could be offered the OBD version instead.

      I guess the reason they plug into the vehicle information system is because they can and they are being overly obsessive.

      1. John Tserkezis

        "you just need to know what times they drive, how fast they drive and how erratically."

        As the saying goes: There's an app for that. Seen a TV ad for it, where you can compare with friends (and I bet it silently sends to an insurance company too).

    4. John Tserkezis

      "Why does it even need CANbus access - would a simple GPS/accelerometer module not cover 99.9% of all requirements??"

      Not when you need logging functionality as well, the GPS/accelerometer won't do that by itself.

  10. Mark Allen

    Can someone explain...

    Why on earth is a tool for monitoring how and where you drive allowed to mess with the car's controls? Shouldn't the point of a monitoring tool be to watch only? If this device can also control the car then isn't that a simple get-out in court in case of an accident? Or do the companies supply a separate insurance policy to cover the damage that may be caused by the dongle talking control ROTM style?

    1. Meerkatjie

      Re: Can someone explain...

      I think the tool is only monitoring but it has been so badly coded that if some person hacks the server or the dongle there is nothing stopping the tool being adjusted to do whatever that person wants it to do.

  11. Doctor Syntax Silver badge

    Wouldn't connecting something like this invalidate the car's warranty and the construction & use approval (or equivalent in the jurisdiction concerned)?

  12. Irongut

    And this is why I always tell people not to take those policies.

    They can monitor my every fucking move when I'm dead.

  13. Nigel 11

    No win no fee lawyers have their uses ....

    I expect that great fun will ensue the next time someone's airbags go off "for no reason" and one of these dongles is present. The victim's lawyer will sue a car company but disclose that an insurance dongle was plugged in. The car company will countersue the insurer (with heavyweight lawyers). The lawyers will get rich. The victim will probably get some compensation. I expect (or rather hope) that it's the insurer's no-security dongle that gets the blame.

    I am seeing more and more reasons for driving around in an old car (pre-CANBUS).

  14. JamesPond
    Holmes

    Crash to stop insurance price hike

    So if you have one of these fitted to your car, it's actually better to hit the idiot who pulls out in front of you with no warning because if you brake harshly or swerve to avoid and don't hit anyone, it's your insurance premium that will go up because you'll be deemed a bad driver! Wonderful idea.

    1. nigeb

      Re: Crash to stop insurance price hike

      Most CAN transceivers have a passive mode for read-only but it's a software controlled feature. So your hackers could change it to get write access. I don't see what you could do in hardware to prevent this.

      It strikes me there should be a manufacturer-provided port for this function based off an additional can-bus with copies of the relevant data. Anything writing to that would have no effect on the vehicle.

      1. LaeMing
        Boffin

        Re: Crash to stop insurance price hike

        Might be time for CAN bus people to discover this revolutionary new technology called a 'firewall' (not the type that sits between the engine and your feet!)

    2. Queasy Rider

      Re: Crash to stop insurance price hike

      I had such an accident, was forced to brake hard enough to lock the wheels. My bike rose up onto front wheel, Tom Cruise style, but I still clipped the guy cutting me off. His insurance paid, but if he had moved half a second earlier, he would have cleared and I still would have been smeared across the highway with him having disappeared into the night.

  15. Mark Quesnell

    I'm not an expert on the CAN bus, but it seems to me that if the only purpose of this dongle is to record data for insurance purposes it should have been designed to be "read only" off of the bus. Then there wouldn't be any issue about taking control of the car. Why even hook up any write lines for a function like this? I understand it needs to be able to query the bus for information - but that is way different from putting data on the bus and issuing a write command.

    There would still be the issue of the logged data being easily available though.

  16. Richard 30

    Access to CaNBUS is not needed for driver scoring

    I run a VC fund. We looked at investing in a company (they turned us down!) who can get all the data they need from a smartphone app with no need for access to CANBUS. This business model addresses the issue that US cars all have a standard port that a dongle like this canplug into but in Europe, black boxes for telematics in car insurance are all model / manufacturer specific and expensive custom installations. They have backing from a major European insurer.

    The apparent risks of selective monitoring and fraud in this approach can all be dealt with by requiring minimum usage and regular photo evidence of tachometer readings, MOT, V5 docs etc. and investigating discrepancies.

  17. Winkypop Silver badge
    Big Brother

    Connected world

    Fine.

    But I get to set the limits.

    For now.

  18. akeane
    Thumb Up

    Wicked!

    Life size Scaleterix(sic) coming to your town soon!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like