Millions of General Motors’ cars were vulnerable to hackers for almost five years

Although car hacking has hit the headlines like never before this year with Jeeps being commandeered remotely as they shoot down the highway at 70mph, and security researchers revealing how they can disable a vehicle’s brakes just by sending an SMS, it’s not actually a new phenomenon.

For instance, researchers at the University of California at San Diego and the University of Washington have been studying automobile security for half a decade, and warned General Motors that millions of its cars and trucks were vulnerable to attacks as far back as the spring of 2010.

As Wired reports, it was back then that the security researchers warned GM that they had managed to remotely exploit the OnStar dashboard computer fitted on some vehicles, giving them remote control over the car.

You can see the attack in action in this video clip from US news show “60 Minutes”, broadcast earlier this year.

In that report, the car’s make and model was disguised by masking tape. But now the truth can be told. It was a Chrysler Impala.

The car-hacking attack saw the Impala’s OnStar computer system contacted via a phone call, and an MP3 file of different tones played to bamboozle the software, and trigger a buffer overflow vulnerability.

The attackers could then inject their own code into the car remotely, taking control of its systems.

Frightening stuff. But perhaps more worrying is that General Motors – despite best intentions – struggled to fix the problem.

Although GM tried to properly fix the flaw, updating the software in later models and attempting to block the calls from unauthorised numbers, their efforts were sidestepped by the researchers – who found they were still able to reach vulnerable vehicles.

GM chief product cybersecurity officer Jeff Massimilla told Wired reporter Andy Greeberg that it was only able earlier this year to perform a cellular update of the older OnStar computers – almost five years after they were first alerted to the issue.

The update, it appears, is something of an achievement as the vehicles were not designed to receive updates in that fashion – potentially raising eyebrows that GM may have itself exploited vulnerabilities to get customers’ cars patched, rather than initiate an expensive and disruptive recall to dealerships.

The five year delay is blamed on the car manufacturer not being properly prepared for hacking attacks and their remediation – a threat to which Massimilla is keen to emphasise the company is now much more capable of responding:

“The auto industry as a whole, like many other industries, is focused on applying the appropriate emphasis on cybersecurity. Five years ago, the organization was not structured optimally to fully address the concern. Today, that’s no longer the case.”

Certainly it is encouraging that GM appears to have pushed out a fix to a flaw found in July in its iOS OnStar app within a couple of days.

All the same, the speed at which automobile manufacturers are racing to connect their vehicles to the internet raises serious concerns about safety and security. Even if GM is treating the hacking threat seriously or not, one has to wonder if other manufacturers are doing enough to prevent hackers from hijacking their cars remotely.

After all, if cars can be hacked, then it’s our lives not just our data that could be at risk.

Leave a Reply