UBI device vulnerable to cyber attack: expert

Insurance producers selling personal auto policies through a major national insurer may want to reach out to clients after it was revealed the carrier’s optional usage-based insurance devices are at risk.

Risk Management News

By

Insurance producers selling personal auto policies through a major national insurer may want to reach out to clients after it was revealed the carrier’s optional usage-based insurance devices are at risk.

Telematics devices offered by Progressive Insurance, called ‘Snapshot’ dongles, has dozens of security flaws that could be exploited by hackers, says one security researcher.

According to Corey Thuen, a security researcher at Digital Bond Labs, Progressive’s Snapshot device is perilously insecure and vulnerable to remote cyber attacks that could be dangerous for drivers. Thuen suggested that the insurance giant does “nothing to encrypt or otherwise protect the information (it) collects,” and as such, “it would be possible to intercept data passed between the dongles and the insurance providers’ servers.”

“The firmware running on the dongle is minimal and insecure,” Thuen told Forbes. “Basically, it uses no security technologies whatsoever. What happens if Progressive’s servers are compromised? An attacker who controls that dongle has full control of the vehicle.”

Thuen, who investigated Snapshot’s security by reverse-engineering one of the devices, concluded that the technology used by an estimated two million insurance customers is “highly troubling” and vulnerable to attack.

Progressive responded to Thuen’s accusations by criticizing the public nature of his disclosure. The company did invite him to get in touch and share his concerns in a more private setting, however.

“If an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to use so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited,” the company told Forbes. “While it’s unfortunate that Mr. Thuen didn’t share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.” (continued.)
#pb#

“A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles,” he said. “Once compromised, the consequences range from privacy data loss to life and limb.”

The news comes on the heels of Progressive’s recent announcement that it would team with General Motors and OnStar to offer UBI to new car owners for a 90-day period
 

Keep up with the latest news and events

Join our mailing list, it’s free!