Industry News

Millions of General Motors’ cars were vulnerable to hackers for almost five years

Photo credits: Pixabay

Although car hacking has hit the headlines like never before this year with Jeeps being commandeered remotely as they shoot down the highway at 70mph, and security researchers revealing how they can disable a vehicle’s brakes just by sending an SMS, it’s not actually a new phenomenon.

For instance, researchers at the University of California at San Diego and the University of Washington have been studying automobile security for half a decade, and warned General Motors that millions of its cars and trucks were vulnerable to attacks as far back as the spring of 2010.

As Wired reports, it was back then that the security researchers warned GM that they had managed to remotely exploit the OnStar dashboard computer fitted on some vehicles, giving them remote control over the car.

You can see the attack in action in this video clip from US news show “60 Minutes”, broadcast earlier this year.

In that report, the car’s make and model was disguised by masking tape. But now the truth can be told. It was a Chrysler Impala.

The car-hacking attack saw the Impala’s OnStar computer system contacted via a phone call, and an MP3 file of different tones played to bamboozle the software, and trigger a buffer overflow vulnerability.

The attackers could then inject their own code into the car remotely, taking control of its systems.

Frightening stuff. But perhaps more worrying is that General Motors – despite best intentions – struggled to fix the problem.

Although GM tried to properly fix the flaw, updating the software in later models and attempting to block the calls from unauthorized numbers, their efforts were sidestepped by the researchers – who found they were still able to reach vulnerable vehicles.

chevy-crash

GM chief product cybersecurity officer Jeff Massimilla told Wired reporter Andy Greeberg that it was only able earlier this year to perform a cellular update of the older OnStar computers – almost five years after they were first alerted to the issue.

The update, it appears, is something of an achievement as the vehicles were not designed to receive updates in that fashion – potentially raising eyebrows that GM may have itself exploited vulnerabilities to get customers’ cars patched, rather than initiate an expensive and disruptive recall to dealerships.

The five year delay is blamed on the car manufacturer not being properly prepared for hacking attacks and their remediation – a threat to which Massimilla is keen to emphasise the company is now much more capable of responding:

“The auto industry as a whole, like many other industries, is focused on applying the appropriate emphasis on cybersecurity. Five years ago, the organization was not structured optimally to fully address the concern. Today, that’s no longer the case.”

Certainly it is encouraging that GM appears to have pushed out a fix to a flaw found in July in its iOS OnStar app within a couple of days.

All the same, the speed at which automobile manufacturers are racing to connect their vehicles to the internet raises serious concerns about safety and security. Even if GM is treating the hacking threat seriously or not, one has to wonder if other manufacturers are doing enough to prevent hackers from hijacking their cars remotely.

After all, if cars can be hacked, then it’s our lives not just our data that could be at risk.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

7 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • There is no such beast as the “Chrysler Impala.” It’s as mythical as the Microsoft iPad Pro.

    Chevrolet (long-term component of General Motors) makes the Impala.

  • This is scary stuff and I appreciate the article. However, there is no such thing as a Chrysler Impala. There is a Chevrolet Impala. You may want to correct your story.

  • Is it possible that all those big black GM SUVs in which the President and many other VIPs are driven around have been vulnerable to hacking for the last five years?

  • There is an error in the 5th paragraph – the one just below the video. “In that report, the car’s make and model was disguised by masking tape. But now the truth can be told. It was a Chrysler Impala.”
    The “Impala” model is made by GM; and, is within the Chevrolet class. Chrysler is a totally different company.