2 min read

Millions of General Motors' cars were vulnerable to hackers for almost five years

Graham CLULEY

September 11, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Millions of General Motors' cars were vulnerable to hackers for almost five years

Although car hacking has hit the headlines like never before this year with Jeeps being commandeered remotely as they shoot down the highway at 70mph, and security researchers revealing how they can disable a vehicle’s brakes just by sending an SMS, it’s not actually a new phenomenon.

For instance, researchers at the University of California at San Diego and the University of Washington have been studying automobile security for half a decade, and warned General Motors that millions of its cars and trucks were vulnerable to attacks as far back as the spring of 2010.

As Wired reports, it was back then that the security researchers warned GM that they had managed to remotely exploit the OnStar dashboard computer fitted on some vehicles, giving them remote control over the car.

You can see the attack in action in this video clip from US news show “60 Minutes”, broadcast earlier this year.

https://www.youtube.com/watch?v=rGMdmA9gqzc

In that report, the car’s make and model was disguised by masking tape. But now the truth can be told. It was a Chrysler Impala.

The car-hacking attack saw the Impala’s OnStar computer system contacted via a phone call, and an MP3 file of different tones played to bamboozle the software, and trigger a buffer overflow vulnerability.

The attackers could then inject their own code into the car remotely, taking control of its systems.

Frightening stuff. But perhaps more worrying is that General Motors – despite best intentions – struggled to fix the problem.

Although GM tried to properly fix the flaw, updating the software in later models and attempting to block the calls from unauthorized numbers, their efforts were sidestepped by the researchers – who found they were still able to reach vulnerable vehicles.

chevy-crash

GM chief product cybersecurity officer Jeff Massimilla told Wired reporter Andy Greeberg that it was only able earlier this year to perform a cellular update of the older OnStar computers – almost five years after they were first alerted to the issue.

The update, it appears, is something of an achievement as the vehicles were not designed to receive updates in that fashion – potentially raising eyebrows that GM may have itself exploited vulnerabilities to get customers’ cars patched, rather than initiate an expensive and disruptive recall to dealerships.

The five year delay is blamed on the car manufacturer not being properly prepared for hacking attacks and their remediation – a threat to which Massimilla is keen to emphasise the company is now much more capable of responding:

“The auto industry as a whole, like many other industries, is focused on applying the appropriate emphasis on cybersecurity. Five years ago, the organization was not structured optimally to fully address the concern. Today, that’s no longer the case.”

Certainly it is encouraging that GM appears to have pushed out a fix to a flaw found in July in its iOS OnStar app within a couple of days.

All the same, the speed at which automobile manufacturers are racing to connect their vehicles to the internet raises serious concerns about safety and security. Even if GM is treating the hacking threat seriously or not, one has to wonder if other manufacturers are doing enough to prevent hackers from hijacking their cars remotely.

After all, if cars can be hacked, then it’s our lives not just our data that could be at risk.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read