Dongle hackers ‘could take control of car brakes’ of insurance customers

Hackers could take control of vehicles after a bluetooth dongle used by insurance companies to track drivers’ habits was compromised, it has been claimed. Two million American drivers use one of the devices from Progressive Insurance, which collects vehicle location and speed records. Security researcher Corey Theun said he discovered that the firmware running on the dongle was “minimal and insecure”.

It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies … basically it uses no security technologies whatsoever.

Security researcher Corey Theun

Theun added that an attack on the adjacent modem was possible, and an attack on the insurance company’s servers could allow a potentially deadly takeover of the car’s acceleration and braking. He said: “What happens if Progressive’s servers are compromised? An attacker who controls that dongle has full control of the vehicle.” The company has said it was not informed about the flaws by Theun before he revealed them at a computer security conference.

A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb.

Corey Theun

Business Progressive Insurance