Progressive security holes put 2 million at risk

Insurance producers selling personal auto policies through a major national insurer may want to reach out to clients this week after it was revealed that the carrier’s optional usage-based insurance devices are at risk.

Telematics devices offered by Progressive Insurance, called “Snapshot” dongles, boast dozens of security flaws that could be exploited by hackers.

According to Corey Thuen, a security researcher at Digital Bond Labs, Progressive’s Snapshot device is perilously insecure and vulnerable to remote cyber attacks that could be dangerous for drivers. Thuen suggested that the insurance giant does “nothing to encrypt or otherwise protect the information [it] collects,” and as such, “it would be possible to intercept data passed between the dongles and the insurance providers’ servers.”

“The firmware running on the dongle is minimal and insecure,” Thuen told Forbes. “Basically, it uses no security technologies whatsoever. What happens if Progressive’s servers are compromised? An attacker who controls that dongle has full control of the vehicle.”

Thuen, who investigated Snapshot’s security by reverse-engineering one of the devices, concluded that the technology used by an estimated two million insurance customers is “highly troubling” and vulnerable to attack.
Progressive responded to Thuen’s accusations by criticizing the public nature of his disclosure. The company did invited him to get in touch and share his concerns in a more private setting, however.

“If an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to use so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited,” the company told Forbes. “While it’s unfortunate that Mr. Thuen didn’t share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.”

“A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles,” he said. “Once compromised, the consequences range from privacy data loss to life and limb.”

The news comes on the heels of Progressive’s recent announcement that it would team with General Motors and OnStar to offer UBI to new car owners for a 90-day period.


by Caitlin Bronson | Jan 19, 2015

Comments are closed.