2 min read

Millions of General Motors' cars were vulnerable to hackers for almost five years

Graham CLULEY

September 11, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Millions of General Motors' cars were vulnerable to hackers for almost five years

Although car hacking has hit the headlines like never before this year with Jeeps being commandeered remotely as they shoot down the highway at 70mph, and security researchers revealing how they can disable a vehicle’s brakes just by sending an SMS, it’s not actually a new phenomenon.

For instance, researchers at the University of California at San Diego and the University of Washington have been studying automobile security for half a decade, and warned General Motors that millions of its cars and trucks were vulnerable to attacks as far back as the spring of 2010.

As Wired reports, it was back then that the security researchers warned GM that they had managed to remotely exploit the OnStar dashboard computer fitted on some vehicles, giving them remote control over the car.

You can see the attack in action in this video clip from US news show “60 Minutes”, broadcast earlier this year.

https://www.youtube.com/watch?v=rGMdmA9gqzc

In that report, the car’s make and model was disguised by masking tape. But now the truth can be told. It was a Chrysler Impala.

The car-hacking attack saw the Impala’s OnStar computer system contacted via a phone call, and an MP3 file of different tones played to bamboozle the software, and trigger a buffer overflow vulnerability.

The attackers could then inject their own code into the car remotely, taking control of its systems.

Frightening stuff. But perhaps more worrying is that General Motors – despite best intentions – struggled to fix the problem.

Although GM tried to properly fix the flaw, updating the software in later models and attempting to block the calls from unauthorized numbers, their efforts were sidestepped by the researchers – who found they were still able to reach vulnerable vehicles.

chevy-crash

GM chief product cybersecurity officer Jeff Massimilla told Wired reporter Andy Greeberg that it was only able earlier this year to perform a cellular update of the older OnStar computers – almost five years after they were first alerted to the issue.

The update, it appears, is something of an achievement as the vehicles were not designed to receive updates in that fashion – potentially raising eyebrows that GM may have itself exploited vulnerabilities to get customers’ cars patched, rather than initiate an expensive and disruptive recall to dealerships.

The five year delay is blamed on the car manufacturer not being properly prepared for hacking attacks and their remediation – a threat to which Massimilla is keen to emphasise the company is now much more capable of responding:

“The auto industry as a whole, like many other industries, is focused on applying the appropriate emphasis on cybersecurity. Five years ago, the organization was not structured optimally to fully address the concern. Today, that’s no longer the case.”

Certainly it is encouraging that GM appears to have pushed out a fix to a flaw found in July in its iOS OnStar app within a couple of days.

All the same, the speed at which automobile manufacturers are racing to connect their vehicles to the internet raises serious concerns about safety and security. Even if GM is treating the hacking threat seriously or not, one has to wonder if other manufacturers are doing enough to prevent hackers from hijacking their cars remotely.

After all, if cars can be hacked, then it’s our lives not just our data that could be at risk.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

2 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read