While many of us often think of the car as a device that hasn't changed much, at least not structurally, since its inception, there are plenty of changes that have occurred and are set to come into play before too much longer has passed. One of these involves the insurance industry, which is looking to use small devices known as dongles to help understand how users drive and how much, which can lead to alterations in insurance rates. But the dongles may come with problems as well, as was recently discovered by security researcher Corey Thuen, whose research suggests that the dongles may not be particularly safe, despite being useful.

Thuen is a researcher with Digital Bond Labs, and will reportedly be bringing his research to the upcoming S4 conference as part of a talk called “Remote Control Automobiles.” Thuen has discovered that, under the right conditions, the Progressive Insurance dongle known as the “Snapshot” system—which connects to a car's systems via the commonly-found OBD2 port—may leave a car open to outside attack. The Snapshot dongle is reportedly in use on over two million vehicles in the United States, but doesn't come with much at all in the way of security, meaning that outside intrusion—even outside takeover—could be more likely than some expected.

Current reports suggest that Thuen has gone quite a long way in terms of finding out how such attacks might happen, starting with extracting the dongle's firmware and discovering that its ability to stand off outside intrusion is essentially nonexistent. Thuen notes that the dongle has “...no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies...” Thuen wrapped up that laundry list with a grim pronouncement, noting that the device “...basically...uses no security technologies whatsoever.” But that's not all that would be needed for a remote attack on a vehicle; so too would the u-blox (News - Alert) modem that connects the dongle to Progressive's servers need attacked. However, this has already been proven possible, so the two attacks together would mean the whole thing was possible as a result.

It's not surprising that insurance companies don't have a handle on security for car dongles. Such companies don't commonly deal in that sort of thing, and as such, it's outside the normal range of operations. So while it can be forgiven insurers for not having a handle on car dongle security, now that such a problem is known, it should be a top priority for repair and protection. While the insurance industry hasn't previously had a handle on digital security, it badly needs to get that handle in place. Right now, the risks are comparatively slim; there likely aren't many hackers going after vehicles. But the first one that does is likely to let others know how it's done, and when it's common knowledge, there will be bad actors waiting to take advantage of those security issues. Should that become a widespread problem, it will likely be an even bigger one for companies like Progressive who didn't put out protection as it was clearly needed.

Still, this is likely to be a problem that will take a while to be recognized and fixed. The research is just now starting to come out, and solutions will be a little farther off. But augmented security to car dongles is a smart idea, and one that's likely to be put in play at least fairly soon.