3 min read

No over-the-air update means GM has to recall four million cars to fix fatal software defect

Graham CLULEY

September 13, 2016

Promo Protect all your devices, without slowing them down.
Free 30-day trial
No over-the-air update means GM has to recall four million cars to fix fatal software defect

US motor company General Motors is recalling four million vehicles worldwide due to a software bug that has been linked to at least one death.

A variety of trucks and cars released between 2014 and 2017 are to be recalled to have their software updated for free, according to an announcement issued by the National Highway Traffic Safety Administration on Friday.recall-notice

The recalled vehicles are:

  • 2014-2016 Buick LaCrosse, Chevrolet SS, Chevrolet Spark EV
  • 2014-2017 Buick Encore, GMC Sierra 1500, Chevrolet Corvette, Chevrolet Trax, Chevrolet Caprice police car and Chevrolet Silverado 1500
  • 2015-2017 Chevrolet Tahoe, Chervrolet Suburban, Chevrolet Silverado HD, GMC Yukon, GMC Yukon XL, GMC Sierra HD, Cadillac Escalade and Cadillac Escalade ESV

The recall announcement makes clear that people are putting their lives at risk if they don’t have their cars updated with the fix:

“In the affected vehicles, certain driving conditions may cause the air bag sensing and diagnostic module (SDM) software to activate a diagnostic test. During this test, deployment of the frontal air bags and the seat belt pretensioners would not occur in the event of a crash.”

Sure, it doesn’t take a long time for local car dealer to apply a flash update to a vehicle’s air bag sensing and diagnostic system.

But imagine doing that four million times. And imagine four million people having to go the inconvenience of taking time off work to make the trip to their nearest GM car dealer to have the fix applied.

All software has bugs. We all know that. And the more software and computer technology that is put into cars, the more opportunities increase for mistakes to occur.

It’s simply not practical or economically viable to rely upon car owners bringing their cars back to a dealership everytime they needed a software fix. Imagine if you had to take your laptop to the computer store every time it required its software to be updated, or for a security patch to be applied? You would go bonkers!

The obvious solution is to apply security patches over-the-air, remotely, without car owners having to physically take their vehicles to a particular place to have their software fixed.

That, of course, can also introduce its own dangers.

Cars are rapidly becoming the ultimate internet-enabled device, with more and more vehicles making use of the net to provide communication, entertainment and navigation features as well as “calling home” to provide diagnostics and enhanced security in the event of theft.

This is all very well and good and – let’s face it – can help set one car brimming with gizmos and gadgets ahead of its competitors, but the very fact that it is now a “connected” car can open opportunities for hackers to exploit.

This isn’t just speculation – there have been plenty of headlines of cars having their brakes disabled just by sending an SMS, Jeeps being hacked as they drive down the highway, and even reports of how researchers showed millions of GM cars were vulnerable to hackers for almost five years.

So, yes. We do want to be able to update a car’s software over-the-air to avoid the hassle that four million GM vehicle owners are about to experience, but we need to make sure that the updating infrastructure is secure and not vulnerable to being hacked itself.

As the Internet of Things escalates at an alarming pace, more attention needs to given to security infrastructure, and the building of safe systems that only allow legitimate authorised signed patches to be rolled out. Security needs to be a priority not just for the car industry, but for anyone who is manufacturing devices that they plan to connect to the internet.

In short: If it cannot be updated easily and safely, you shouldn’t even be thinking of connecting it to the internet.

This isn’t the first time that General Motors) has had to recall millions of vehicles to patch safety bugs. For instance, a couple of years ago the firm recalled 2.6 million cars to fix a faulty ignition switch that could cause drivers to lose control and disable safety features such as power steering, airbags and anti-lock breaks.

Some 124 people are thought to have died as a result of that defect, with other victims suffering paralysis, amputation, significant burns and brain injuries.

The compensation fund reported last December that it had paid out $594.5 million to victims of that dangerous flaw, and paid a further $900 million to settle criminal charges after admitting it had covered up the problem for years.

If nothing else, lets hope that huge fines and damages will hope to focus the minds of those companies building the next generation of internet-enabled vehicles on what matters most: our safety.

tags


Author


Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like

Bookmarks


loader