Progressive Insurance, and its TV personality “Flo,” have for years been urging consumers to install a small electronic device called Snapshot into their cars that allows the insurer to gather safety data on drivers. Supporters say the device, sometimes called a dongle, lets Progressive offer discounts based on the way customers actually drive their cars, a concept called usage-based insurance. Critics say the gadget,opens the door for Progressive to spy on its consumers.
Now, a computer security researcher says the gadget opens the door for hackers to spy on drivers, too. Corey Thuen of Digital Bonds Labs has accused the firm of not taking even basic steps to make sure data collected by the Snapshot telematics device can’t be observed by strangers.
“The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies,” Thuen told Forbes in advance of publishing his findings at a security conference. “Basically it uses no security technologies whatsoever….. A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb.”
Progressive spokeswoman Erin Hendrick told me that Thuen made no attempt to contact the firm before releasing his findings. It has since made contact with him and plans to examine his research, she said. She also stressed that there is no evidence the dongles have been hacked in the real world.
“We are confident in the performance of our Snapshot device – used in more than two million vehicles since 2008 – and routinely monitor the security of our device to help ensure customer safety.,” Hendrick said. “To be clear, the researcher was not able to control any vehicle functions and we do not have evidence that anyone else has been able to do so. However, we take security very seriously and intend to investigate the matter thoroughly.”
Usage-based insurance — sometimes also called pay as you drive — has been the subject of controversy since it was first introduced seven years ago. While Progressive has been the most aggressive firm to deploy it, others have tested the telematics device, or similar technologies. State Farm drivers can upload driving data through the OnStar service, for example.
Progressive’s Snapshot gathers data on miles traveled, time of day, and abrupt braking. The data is uploaded to Progressive through cellular networks. Drivers who prove their habits are safer than average receive a discount.
While Progressive says location information is not part of the firm’s discount formula, there’s no guarantee the firm — or a competitor — won’t use more data points in the future, and won’t raise rates based on actual driving habits.
Despite the potential privacy concerns, about half of adults surveyed in 2013 said they’d sign up for usage-based insurance if they received discounts. And the National Association for Insurance Commissioners has predicted that 20 percent of consumers will be part of a usage-based program within five years.