Industry News

No over-the-air update means GM has to recall four million cars to fix fatal software defect

Source: cars.com

US motor company General Motors is recalling four million vehicles worldwide due to a software bug that has been linked to at least one death.

A variety of trucks and cars released between 2014 and 2017 are to be recalled to have their software updated for free, according to an announcement issued by the National Highway Traffic Safety Administration on Friday.recall-notice

The recalled vehicles are:

  • 2014-2016 Buick LaCrosse, Chevrolet SS, Chevrolet Spark EV
  • 2014-2017 Buick Encore, GMC Sierra 1500, Chevrolet Corvette, Chevrolet Trax, Chevrolet Caprice police car and Chevrolet Silverado 1500
  • 2015-2017 Chevrolet Tahoe, Chervrolet Suburban, Chevrolet Silverado HD, GMC Yukon, GMC Yukon XL, GMC Sierra HD, Cadillac Escalade and Cadillac Escalade ESV

The recall announcement makes clear that people are putting their lives at risk if they don’t have their cars updated with the fix:

“In the affected vehicles, certain driving conditions may cause the air bag sensing and diagnostic module (SDM) software to activate a diagnostic test. During this test, deployment of the frontal air bags and the seat belt pretensioners would not occur in the event of a crash.”

Sure, it doesn’t take a long time for local car dealer to apply a flash update to a vehicle’s air bag sensing and diagnostic system.

But imagine doing that four million times. And imagine four million people having to go the inconvenience of taking time off work to make the trip to their nearest GM car dealer to have the fix applied.

All software has bugs. We all know that. And the more software and computer technology that is put into cars, the more opportunities increase for mistakes to occur.

It’s simply not practical or economically viable to rely upon car owners bringing their cars back to a dealership everytime they needed a software fix. Imagine if you had to take your laptop to the computer store every time it required its software to be updated, or for a security patch to be applied? You would go bonkers!

The obvious solution is to apply security patches over-the-air, remotely, without car owners having to physically take their vehicles to a particular place to have their software fixed.

That, of course, can also introduce its own dangers.

Cars are rapidly becoming the ultimate internet-enabled device, with more and more vehicles making use of the net to provide communication, entertainment and navigation features as well as “calling home” to provide diagnostics and enhanced security in the event of theft.

This is all very well and good and – let’s face it – can help set one car brimming with gizmos and gadgets ahead of its competitors, but the very fact that it is now a “connected” car can open opportunities for hackers to exploit.

This isn’t just speculation – there have been plenty of headlines of cars having their brakes disabled just by sending an SMS, Jeeps being hacked as they drive down the highway, and even reports of how researchers showed millions of GM cars were vulnerable to hackers for almost five years.

So, yes. We do want to be able to update a car’s software over-the-air to avoid the hassle that four million GM vehicle owners are about to experience, but we need to make sure that the updating infrastructure is secure and not vulnerable to being hacked itself.

As the Internet of Things escalates at an alarming pace, more attention needs to given to security infrastructure, and the building of safe systems that only allow legitimate authorised signed patches to be rolled out. Security needs to be a priority not just for the car industry, but for anyone who is manufacturing devices that they plan to connect to the internet.

In short: If it cannot be updated easily and safely, you shouldn’t even be thinking of connecting it to the internet.

This isn’t the first time that General Motors) has had to recall millions of vehicles to patch safety bugs. For instance, a couple of years ago the firm recalled 2.6 million cars to fix a faulty ignition switch that could cause drivers to lose control and disable safety features such as power steering, airbags and anti-lock breaks.

Some 124 people are thought to have died as a result of that defect, with other victims suffering paralysis, amputation, significant burns and brain injuries.

The compensation fund reported last December that it had paid out $594.5 million to victims of that dangerous flaw, and paid a further $900 million to settle criminal charges after admitting it had covered up the problem for years.

If nothing else, lets hope that huge fines and damages will hope to focus the minds of those companies building the next generation of internet-enabled vehicles on what matters most: our safety.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

5 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Thanks for talking about the downside of allowing over the air updates as well. It's easy to say they should, but lots to think about in doing it.

  • Your premise is on, except for drawing an analogy of bringing your computer back for maintenance. Not many people do their own oil changes, balance their tires, etc because they lack the skills, equipment, or time. By their nature, cars for sometime will have consumable components that require service.

    4 million vehicles is a lot of cars. Considering the nationwide network of 4,886 General Motors dealerships (GM's 2015 10k filing), the capacity to service those vehicles exists.

    I personally would not trust an 'over the air' update on a car. The reason is car companies do not like to work together on technology. Car companies typically function as conglomerates, and some may agree to work on a standard. The issue is that the security of any solution put out by a car company or conglomerate would lack peer review (patents, competitive edge, etc). Lack of proper peer review and well, Bruce said it best with the multiple examples of Schneier's Law over the decades.

    You see this with your stated example of sending a SMS to a Jeep to disable the brakes.

    The best path for a resilient method likely lies with government agencies such as NTSA in the US. Standards are slow, but this would best be tied into a safety standard if it were to be viable.

    In the absence of peer-reviewed security standards, taking your car back to a dealer you have a relationship with that you can trust is the way to ensure the safety of your loved ones.

    About me:

    13 years in the Automotive sector concluding as a Service Manager for a multi-line dealer. I switched careers 21 years ago in the early days of computer networks and the budding cyber-security space. I've co-authored standards within the Trusted Computing Group and co-authored patents in the network security space.

    • Another reason auto makers will have to focus more on the security side of the business instead of bringing some shiny Car Play for infotainment