Quote: Corey Thuen, a senior researcher with Digital Bond Labs, reverse engineered Progressive Insurance’s SnapShot device — used in 2 million US vehicles — and tested it on his 2013 Toyota Tundra truck. After picking apart the hardware and testing its wireless communications while plugged into the vehicle’s ODP-II diagnostic port on the car’s local network, Thuen found the Progressive dongle doesn’t authenticate to the cellular network or encrypt its traffic. The firmware isn’t signed or validated, and there’s no secure boot function. Also, the device uses the notoriously unsecure FTP protocol.

The device runs on CANbus, the very same network where key vehicle functions — including braking, park assist steering, and ECU — are housed. It sends messages over the CAN to request information from the vehicle’s computer systems, such as revolutions per minute, to calculate the driver’s ultimate insurance policy rate.

“Anything on the bus can talk to anything [else] on the bus,” he says “You could do a cellular man-in-the-middle attack” on the device’s communications to Progressive, because there’s no authentication or encryption. But a MITM would require spoofing a cell tower to capture the traffic, which Thuen did not test.

It would be easy for data to be leaked wirelessly. “What happens if Progressive’s servers are compromised?” he says. “An attacker who controls that dongle has full control of the vehicle.”