It Only Took GM Five Years To Patch Dangerous Vulnerability Impacting Millions Of Automobiles
from the good-job dept
For all the hype surrounding the "Internet of Things" (IOT), it's becoming abundantly clear that the security actually governing the sector is little more than hot garbage. Whether it's televisions that bleed unencrypted, recorded living room conversations, or refrigerators that expose your Gmail credentials, IOT developers were so excited to cash in on the brave new world of connectivity, security was an absolute afterthought. Entertainingly, that has resulted in many "smart" technologies being little more than advertisements for the fact that sometimes, it's ok for your device to be as stupid as possible.And while it's annoying for your IOT toaster to be leaking login credentials or your new IOT toilet to be broadcasting bathroom habits on the Internet, when it comes to automobiles -- human lives are at stake. And yet auto infotainment and network security is somehow the poster child for flimsy security practices. That was illustrated perfectly when hackers recently revealed that they were able to all-but take over some Chrysler cars from anywhere in the world provided they simply had the car's IP address -- allowing intruders to rewrite the firmware on the car's head unit.
In that instance, Chrysler released a patch for the vulnerability before the research was even publicized, and quickly implemented a 1.4 million vehicle recall. But historically automakers aren't that quick on their feet (nor are the vulnerabilities that publicized). Millions of GM vehicles, for example, suffered from a similar flaw that allowed hackers to effectively take over everything in the vehicle except for the steering. That particular problem, it was revealed this month, took GM the better part of five years to actually fix despite being a relatively low-tech hack:
"The intrusion technique began with a phone call to the Impala’s OnStar computer. Because Verizon’s voice network coverage was more reliable than its data network, the OnStar computers were programmed to establish a connection to any computer that played a certain series of audio tones, like an old-fashioned modem. UW’s Koscher reverse engineered that audio protocol and created an mp3 file that could trigger a vulnerability in the computer known as a “buffer overflow.”And yes, while this vulnerability in question (which impacted the 2009 Chevy Impala) saw much less media coverage because the hackers didn't publicly name the vehicle, the vulnerability still existed for any hacker or intelligence agency operative to play with at their leisure for half a decade. And while the hackers obscured the vehicle name with masking tape when demonstrating it repeatedly to "a wide variety of government and even military agencies" and the media (like in this 60 Minutes episode earlier this year), it likely wasn't very hard to guess which car they were talking about. Meanwhile, what's the over-under for local law enforcement accurately pinning the source of potential accidents on a vehicle's compromised infotainment firmware?
Put simply, “you play this song to it, and the car’s taken over,” says UCSD’s Savage. From that initial audio attack, the attackers could pivot to take control of the OnStar computer’s higher-bandwidth data connection and finally penetrate the car’s CAN bus, the collection of networked computers inside a vehicle that control everything from its windshield wipers to its brakes and transmission. Put simply, “you play this song to it, and the car’s taken over,” says UCSD’s Savage."
The hackers are quick to downplay GM's negligence here, but note that the company's failures are a symptom of a much bigger disease:
"But the researchers argue that GM’s years-long failure to fully protect its vehicles from that attack doesn’t reflect on GM’s negligence, so much as a lack of security preparation in the entire industry of Internet-connected cars. Automakers five years ago simply weren’t equipped to fix hackable bugs in their vehicles’ software, the way that Microsoft and Google have long fixed bugs within weeks or even hours after they are disclosed to them. And many of those companies may not be much better prepared today.GM says that since this flaw was exposed, they've at least developed the ability to push over-the-air firmware updates to vehicles (though 90% of the time, even new vehicle updates require a user USB install or dealership visit). But the fact it took GM five years of hammering away at the exploit to fix it makes it abundantly clear that the auto-industry is out of its depth when it comes to securing its new generation gee whizzery. And if it took five years to develop a single fix for a single vehicle, just how long do we think it will take for the auto industry to overhaul its entire vulnerability response and reporting systems?
"They just didn’t have the capabilities we take for granted in the desktop and server world,” says Stefan Savage, the UCSD professor who led one of the two university teams who worked together to hack the Impala. “It’s kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn’t a universal incident response and update system that exists."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: connected cars, patching, security, vulnerabilities
Companies: gm
Reader Comments
Subscribe: RSS
View by: Time | Thread
Even if you want to display diagnostic info, that should be setup as a very strict one direction messaging system. This whole idea of lets connect the dvd player to the accelerator is just stupid in so many different ways.
As for the onstar, I have always thought that system seemed creepy and I have zero interest in owning a car with that system on it. I do not trust a company enough to be handing over that level of control of my vehicle. The idea that someone in an office can push a button to unlock and crank my car.... No thank you.
[ link to this | view in chronology ]
Re:
However, Good security on these things are... companies are only interested in getting a product out as cheap as possible and would rather spend money on DMCA and Copyright measures to keep hackers out in vain attempts to keep their shitty as code work hidden from prying minds.
[ link to this | view in chronology ]
Re: Re:
ftfy
[ link to this | view in chronology ]
Re: Re: Re:
Air Gapping is a clear non-physical connection of the devices in question just to keep air between them. I am just saying the air-gap separation of devices in the vehicle does not have to go that far to keep them disconnected from each other.
As we advance in technology it will soon become a reality for devices to be merely in close proximity to a device not even capable of connecting to a remote device to actually receive unwanted interference. So yea, if the radio in the car can be properly compromised it could potentially be used to emit a signal of sufficient quality to alter the vehicles driving behavior even if the device receiving this interference was not even designed to intentionally receive it.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
Where does the one end and the other begin?
My car has two screens, a small one on the dashboard with basic diagnostic information, and large one off to the right with a touchscreen that handles entertainment, climate control, phone interface, and GPS.
The large one also displays the backup camera view when I put it in Reverse. The control system has to be able to talk to it to tell it when the car's in Reverse, and also to tell it which way the wheel is turned so it can draw the curved guidelines, and to give it feedback from the collision sensors so it can incorporate that into the picture as well. The backup camera is a basic safety feature, and you really want it to be drawn on the large screen so you can see it clearly.
On the other hand, the one on the dash, that specializes in basic diagnostic info (odometer, fuel levels, maintenance warnings, etc.) will also display the distance to and direction of your next turn, when the GPS is active. It has to get that from the "entertainment system". I'd categorize this as a safety feature too: it's simpler and less distracting to glance down than to look off to the side, and when you're driving on GPS guidance it's because you already don't know the route by heart, which means you need to be paying more attention to the road than usual.
You can't put the GPS into the diagnostic system, though, because the complexity of entering a destination requires a relatively sophisticated input mechanism such as a touchscreen. And before anyone suggests that the GPS shouldn't be integrated into the car's computer at all, I've done the whole "external GPS unit" thing with rental cars, and it sucks. Aside from the usual difficulty mounting them so they're 1) visible and 2) stable enough that they won't fall off every time you brake or turn, when it's not integrated with the car's entertainment system, it can't turn the radio down when it announces an upcoming turn.
So yeah, there are a lot of legitimate reasons for the two subsystems to be able to talk to each other that make the driving experience better and safer. Beware throwing the baby out with the bath water.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
an interconnection of a pair of discreet devices is not required for a single display device to receive information or even interact with the systems separately but on the same display screen.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
And if you have one half-decent developer and a management that does not contradict them, you wouldn't have such idiotic security flaws in the first place. It's like they go out of their way to make these systems vulnerable in ways the most moronic author of tech-in-fiction could not possibly make up.
[ link to this | view in chronology ]
Some things shouldn't be automated.
Reading this, I'm thinking more the users. What you've just described is the natural progression of replacing manual transmission with automatic transmission. Why? Users are often too lazy and impatient to learn complex skills, such as driving a car using both hands and both feet and both eyes, not to mention ears and touch and feeling centrifugal forces acting upon their body, all in constant balance and communication using one's brain.
To simplify, think about the spacial orientation skills needed to use rear and side view mirrors in conjunction with all those other skills of controlling a vehicle, but in reverse. Too many potential drivers found that operation far too difficult and time consuming to learn, so now we have a TV and cameras and proximity detectors built in so the driver doesn't need to learn how to drive backwards using mirrors. Now, they rely on magic bullets instead. It only costs $30k/vehicle to implement and doesn't work very well, but people hate learning to do the alternative so it's worth it to them.
Stunning. I'd always wondered where the impetus for this stuff was. This is what happens when you overdose on George Jetson at a young age. Thanks for explaining it so well.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The Answer!!!
Is Never, unless you make it a law, business will never do it. I am not saying that a law should be made either, but I am also the type that thinks we need to remove all of the warning labels off shit and let people just be take advantage of relentlessly. Foolishness should legally be its own reward!
[ link to this | view in chronology ]
Suddenly that joke's a lot less funny.
[ link to this | view in chronology ]
Re:
The computer failed to start at least 20 times in the 11 years I had it.
The solution? Reboot the car.
[ link to this | view in chronology ]
??? If you don't like this, then why the hell are you wanting to allow modifications to it?
This cannot be squared with your prior articles except that the underlying purpose is gives you way to attack copyright and thereby an article.
There's no baby to be thrown out here, just unnecessary hazards.
No sane person wants a car computer to be modifiable, nor to have ANY external input. Should at most have an output only port just constantly repeating diagnostics, not even on demand. Any changes require physical replacement. -- And it shouldn't do much in first place! Just replace a few functions difficult to do mechanically. Weenie-ing is not necessary, can't do magic of making an Impala get 100 miles per gallon.
You kids do know that "Onstar" and most modern cars have radio-activated kill switches, right? You don't own cars anymore, the state does. -- You don't even rail at the imminent surveillance / control by "IOT", just want to sit and watch stolen entertainments.
Attempt # 6! Techdirt tries and fails to keep me out! How can the IOT ever be safe?
[ link to this | view in chronology ]
Re: ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
I want my car to take input from my phone (hands-free calling and text message-reading) and from any USB device I plug in that contains music.
I also want to be able to write a simple app to run on my car's computer, so that when it starts up and scans automatically for the phone it's expecting to pair up with, if it doesn't find it, it will sound an alert on the speakers and flash a warning at me. This will keep me from accidentally forgetting and leaving my phone at home, which occasionally happens.
Am I insane for wanting either of those things?
[ link to this | view in chronology ]
Re: Re: ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
Off-topic, but Mason, have you ever considered a carpc?
Don't need anything integrated into the car bus network, just a simple carpc that runs Linux, has bluetooth and does everything you want. Car already supplies 12v DC on the accessory or radio power wire, and getting a 12v DC power supply is far cheaper than an DC/AC/DC converter.
Unfortunately, they aren't cheap, but they are getting far cheaper now that miniitx boards are getting cheaper and the components are getting more standardized (I still hate buying memory for them though...since it is always a crapshoot on how tall the memory will be to fit in one of these things. My first carpc was about $1000, but they are getting cheaper...only big issue now is the price of the DIN case, but you can always mount the computer under a chair or behind the control panel and leave the radio in the car if you want to still have access to that.
[ link to this | view in chronology ]
Re: Re: Re: ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
[ link to this | view in chronology ]
Re: Re: Re: Re: ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
[ link to this | view in chronology ]
Re: Re: ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
[ link to this | view in chronology ]
Re: ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
[ link to this | view in chronology ]
... thus turning a security flaw into a feature!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
All are la e with updates except ...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
GM Hacks Itself!
Think about that! GM was able to hack its own cars in order to deliver an update over the Internet! If GM could do that to deliver a legitimate patch so can any hacker worth their salt to surreptitiously deliver changes to a car's computing system that would benefit the hacker!
The fact that GM will say little about that "clever hack" suggests the hack itself may still exist. If so what's the betting that there are now hackers out there trying their darnedest to find and exploit it themselves?
[ link to this | view in chronology ]
Re: GM Hacks Itself!
Yeah, that's major o_0 material. Agreed that it should have been in the article!
[ link to this | view in chronology ]
Re: GM Hacks Itself!
Or not. Maybe they patched it to clear this hack as well. Reminds me of a few viruses that once inside they take precautions to avoid further infections by 'competing' ones such as updating Windows and turning firewalls and everything else on.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Example , Hey Dealer #1 your sales are down send out some false flags so you can meet your monthly quota.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Now, there is a vulnerability that took 5 years to fix, that could have brought a lot of "safety issues".
You see, they don't want to take away the ability to modify your car. That's where we are derailing the issue.
They want to take away from you the ability to even repair your own car. You see, some computers require resetting after a component is changed. Now, if you can't even reset your computer, it means that you can't repair your car and that you will have to take it to a workshop licensed by GM to do so.
I hope at least that you are able to change your tires or to fill the water tank.
PS: want a good scheme? First you make it so that people can't touch their car's computer. Afterwards, you hire someone to hack those cars on the fly and to mess with the computer, making it so that the car won't move.
Result: profit! The car will be taken to the closest workshop to get it fixed.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
At least the car is yours, and you control what it does.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And that's why...
Also, did anyone else think of Micheal Hastings?
[ link to this | view in chronology ]
Slow going
This was pre-bankruptcy, when GM was at their zenith of incompetence. I think mid 1990's or so.
I remember watching that ad and my jaw hit the floor. The US Army managed to invent and deploy an atomic bomb in 4 years. We managed to get to the moon in less time.
I remember thinking to myself "It look 10 years and millions of dollars to figure out how to leave a light switch on? And you want to brag about that?".
I was embarrassed for them.
If anyone knows a YouTube video of that ad, I would love a link.
[ link to this | view in chronology ]
So can we also control the steering now?
[ link to this | view in chronology ]