Snapshot is a Bluetooth tool provided by one of United States largest car insurance firms, Progressive Insurance, to track driver habits for insurance purpose. It is normally used to collect vehicle location, driving speeds and driving patterns to build custom car insurance policies or determine the premium on a car owner.

Corey Thuen, a security researcher at Digital Bond Labs says that the Snapshot is vulnerable to hacking and using the hacked Snapshot, a potential hacker can remotely hijack personal details of approximately 2 million car users in the United States who buy car insurance from Progressive Insurance. In extreme cases it can even be used to hijack the car itself says Thuen.

▼Advertisement

Thuen will present his findings at the S4 conference in a talk titled Remote Control Automobiles about the Snapshot vulnerabilities.

Thuen says the problem lies in Snapshot extremely insecure and vulnerable firmware,”The firmware running on the dongle is minimal and insecure,” Thuen told Forbes.

Thuen found out that Snapshot connects the vehicle’s onboard network via the OBD2 port. This provides opportunity for cyber criminals to hack Snapshot and allow the would be hacker, be they in the car or outside, to take control over core vehicular functions, he claims.

Thuen says that it has been theorized by many cyber security experts that such usage-based insurance dongles would be a viable attack vector, but now his exploit proves the same to be true. He gives reasons for his success because earlier hypotheses of attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes.