Digital Bond Labs security researcher Corey Thuen has found a way to unlock car doors, start a car, and gather engine information via a dongle known as "Snapshot" – a device used by Progressive Insurance to track driving habits for risk assessment and premium adjustment, according to Forbes.
The dongle is used in more than two million vehicles in the U.S., Forbes said.
A skilled hacker could compromise one to control a vehicle remotely, Thuen said, but a remote attack is only possible if a u-blox modem, which handles connections between the dongle and Progressive's servers, is compromised.
Ultimately, Snapshot's firmware is insecure – with no validation or signing of updates, secure boot, cellular authentication, and secure communications or encryption, Thuen said, noting that compromising Progressive's backend infrastructure could enable control over “devices that make it out to the field.”
