Tech expert, Corey Thuen, will be speaking at the S4 conference to show that pay as you drive dongles aren’t secure.
Corey Thuen is a Digital Bond Labs security researcher, who has been working for a number of weeks on the subject of the insurance technology of onboard network dongles that are connected to the OBD2 ports of vehicles as a component of usage based auto policies.
The findings of the research have been striking and they will soon be presented in a talk entitled “Remote Control Automobiles”.
Thuen looked specifically at the Snapshot insurance technology from Progressive. It is meant to track a motorist’s driving behaviors in order to determine whether his or her habits warrant an additional discount off the premiums that are being paid. It is a part of a program that is set up to allow safe drivers to be able to prove that they present a lower risk to their insurers, so that they won’t need to pay as much for their coverage.
What has been found is that the insurance technology in the dongles is strikingly lacking and could be hacked.
The device for Snapshot, alone, is already installed in over two million vehicles throughout the United States. That said, there are also programs by Allstate, State Farm, and other large insurance companies that are based on similar tech. According to Thuen, the security level in these gadgets is low enough that they could be exploited in order to give a hacker – who is located inside or outside of the vehicle – the ability to actually take control over the central function of the car.
It has been suspected for quite some time that devices such as the dongles for usage based insurance could potentially open up a possible path for hackers. However, Thuen has said that he has proven that it can be done. While he has not gone so far as to actually tinker with the controls of his vehicle, he has gained access to the ability to use his laptop to start the engine, unlock the doors, obtain information, and more. Equally, in the Forbes report on the subject, he also pointed out that he has specifically chosen not to use this insurance technology to “weaponize” his discoveries and accesses. In that report, he explained that “Controlling it wasn’t the focus, finding out if it was possible was the focus.”