Apparently All Cars Can Be Hacked Now: Insurance Dongle Edition

Aaron Cole
by Aaron Cole

Hackers say they may be able to control any vehicle with a telematics-enabled sensor — including a popular sensor that insurance companies use for consumers — plugged into the car’s diagnostic port, according to Wired report (via The Verge).

In recent weeks, several hacks have surfaced — Chrysler, General Motors and Telsa — related to specific automakers. According to the report, the On-Board Diagnostic system hack could apply to any make or model fitted with an insurance or tracking dongle. The University of California San Diego researchers say they’ll present their findings at the Usenix conference Tuesday.

And, um, there’s no easy way to put this, but … it doesn’t appear that it would be all that hard to find cars with the dongles at the moment.

The story focused on a dongle provided by a Bay Area-insurance provider, MetroMile, who uses the dongle to charge customers by the mile. Hackers remotely shutdown a Corvette using the device by sending the dongle an SMS message that confused the device into controlling the car’s vital functions. The hackers say they could control steering, throttle and brakes using the hacks. Although the target was a Corvette, the researchers said they could apply the hack to many more cars.

From the story:

“It’s not just this car that’s vulnerable,” says UCSD researcher Karl Koscher. He points to the work of researchers Charlie Miller and Chris Valasek, who revealed and published the code for a wide array of attacks on a Toyota Prius and Ford Escape in 2013 that required only access to a vehicle’s OBD2 port. “If you put this into a Prius, there are libraries of attacks ready to use online.”

MetroMile says it wirelessly updated its devices when it became aware of the hack weeks ago.

Hackers say that the hack may apply to Progressive Casualty Insurance Company’s Snapshot device, which also uses telematics to transmit information, however hackers didn’t provide a proof of concept for the device’s vulnerabilities earlier this year.

The Wired story offered a tidbit of terrifying information: UCSD hackers scanned the web using Shodan and found “thousands” of hackable devices — mostly in Spain. It was unclear in earlier hacking reports how vulnerable cars could be targeted without first having direct contact with the car or physical access. Now, apparently, there’s a web search for that.

In addition to insurance dongles, the hackers say similar hacks could be used for dongles placed in fleet vehicles used for tracking.

Aaron Cole
Aaron Cole

More by Aaron Cole

Join the conversation
2 of 34 comments
  • Signal11 Signal11 on Aug 11, 2015

    This is a much more legit hack than the earlier one reported by Aaron. This attacks through a device that you, your insurance company or your rental car company installed, not one the attackers had to place themselves. A modem attached to the CAN bus network exposes the entire network, which is what happened here and with the Chrysler hack. As for those who are knee-jerk poopooing this story, this is the problem of shoddy journalism. The last article was crying wolf. This attack, OTOH, is legit threat if you've got a telemetry reporting device for whatever reason because you are now driving around with a known, exposed attack vector. Among the things that are pretty much possible on all post mid 90s cars via CAN bus commands - deploying/deactivating air bags.

  • Thegamper Thegamper on Aug 12, 2015

    Ill gladly pay extra in insurance costs to avoid the use of a "safe driving" telemetry device. I have a feeling, in my case, the associated cost in declining to have my vehicle fitted with one would be far less than the cost after the insurance company reads the telemetry data and or dropped me from insurance.

  • Golden2husky Have to say he did an excellent job on the C7, especially considering the limited budget he was given. I am very happy with my purchase.
  • Marty The problem isn't range; it's lack of electricity in multi-unit building parking. All you need is level 1 - a standard 120v wall socket - and if you're plugged in 10 hours overnight you get 280 miles per week or more. That's enough for most folks but you can use public charging to supplement when needed. Installing conduit circuits and outlets is simple and cheap; no charge stations needed.
  • 2manyvettes Tadge was at the Corvette Corral at the Rolex 24 hour sports car race at the end of January 2023. During the Q&A after his remarks someone stood up and told him "I will never buy an electric Corvette." His response? "I will never sell you an electric Corvette." Take that Fwiw.
  • Socrates77 They're pinching pennies for the investors like always, greed has turned GM into a joke of an old corporate American greed.
  • Analoggrotto looking at this takes me right back to the year when “CD-ROM” first entered public lexicon