2 min read

Millions of General Motors' cars were vulnerable to hackers for almost five years

Graham CLULEY

September 11, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Millions of General Motors' cars were vulnerable to hackers for almost five years

Although car hacking has hit the headlines like never before this year with Jeeps being commandeered remotely as they shoot down the highway at 70mph, and security researchers revealing how they can disable a vehicle’s brakes just by sending an SMS, it’s not actually a new phenomenon.

For instance, researchers at the University of California at San Diego and the University of Washington have been studying automobile security for half a decade, and warned General Motors that millions of its cars and trucks were vulnerable to attacks as far back as the spring of 2010.

As Wired reports, it was back then that the security researchers warned GM that they had managed to remotely exploit the OnStar dashboard computer fitted on some vehicles, giving them remote control over the car.

You can see the attack in action in this video clip from US news show “60 Minutes”, broadcast earlier this year.

https://www.youtube.com/watch?v=rGMdmA9gqzc

In that report, the car’s make and model was disguised by masking tape. But now the truth can be told. It was a Chrysler Impala.

The car-hacking attack saw the Impala’s OnStar computer system contacted via a phone call, and an MP3 file of different tones played to bamboozle the software, and trigger a buffer overflow vulnerability.

The attackers could then inject their own code into the car remotely, taking control of its systems.

Frightening stuff. But perhaps more worrying is that General Motors – despite best intentions – struggled to fix the problem.

Although GM tried to properly fix the flaw, updating the software in later models and attempting to block the calls from unauthorized numbers, their efforts were sidestepped by the researchers – who found they were still able to reach vulnerable vehicles.

chevy-crash

GM chief product cybersecurity officer Jeff Massimilla told Wired reporter Andy Greeberg that it was only able earlier this year to perform a cellular update of the older OnStar computers – almost five years after they were first alerted to the issue.

The update, it appears, is something of an achievement as the vehicles were not designed to receive updates in that fashion – potentially raising eyebrows that GM may have itself exploited vulnerabilities to get customers’ cars patched, rather than initiate an expensive and disruptive recall to dealerships.

The five year delay is blamed on the car manufacturer not being properly prepared for hacking attacks and their remediation – a threat to which Massimilla is keen to emphasise the company is now much more capable of responding:

“The auto industry as a whole, like many other industries, is focused on applying the appropriate emphasis on cybersecurity. Five years ago, the organization was not structured optimally to fully address the concern. Today, that’s no longer the case.”

Certainly it is encouraging that GM appears to have pushed out a fix to a flaw found in July in its iOS OnStar app within a couple of days.

All the same, the speed at which automobile manufacturers are racing to connect their vehicles to the internet raises serious concerns about safety and security. Even if GM is treating the hacking threat seriously or not, one has to wonder if other manufacturers are doing enough to prevent hackers from hijacking their cars remotely.

After all, if cars can be hacked, then it’s our lives not just our data that could be at risk.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read