Today we posted the video of Corey Thuen’s S4x15 Technical Session on the insecure by design Progressive Snapshot dongle. Progressive responded with a statement to a Forbes reporter:
if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited.
What Corey pointed out, in a manner similar to Project Basecamp did with PLC’s, is that these systems are insecure by design. The vendor, Xirgo Technologies, surely knows they didn’t include even basic security controls in their design. This is not news to them. If it was news to Progressive, then they did not perform a rudimentary security analysis before making this available to potential customers.
The best analogy I have come up with so far is storing cash, jewelry and other valuables in a vacant house. The house has no doors, no windows, no alarms, no neighbors watching, no security at all. All that is required is a thief to say I want those valuables, walk in and take them. Is it really necessary to tell the owner of those valuables that a thief can walk into that house because it lacks security? Surely he knows and accepted this.
Corey also briefly points out that a look at the code indicates that basic secure coding practices were not used in the development. It is likely rife with vulnerabilities. Even if the doors and windows with locks are put on the house, the walls are paper, 襖, relying on attackers to respect the illusion of a solid wall.
In the Forbes article Progressive also said, “The safety of our customers is paramount to us.” I’m sure this is true, and they likely have a robust security program around their e-commerce and customer web site projects. Progressive, and other vendors offering these dongles, need to be progressive and extend their security programs to these products that provide remote access to the OBD-II port on your vehicle.
This is a bigger problem than OBD-II dongles. Reid’s session from last October at S4xJapan showed Hitachi and Sanyo Denki using the CoDeSys runtime library without evaluating the security vulnerabilities and deficiencies of that code. Vendor’s buying devices, components and software need to assess the security of the product before they sell or provide it to customers.
Ironically, this was not a very good project for Digital Bond Labs. They work with vendors to find vulnerabilities so they can be fixed before product release, an external red team so to speak. The Snapshot dongle did not require finding and exploiting vulnerabilities. Security needs to be integrated into the design and then it is worthy of an internal or external red team to give it a hard shake to see if their are any latent vulnerabilities.