It Only Took GM Five Years To Patch Dangerous Vulnerability Impacting Millions Of Automobiles
from the good-job dept
For all the hype surrounding the “Internet of Things” (IOT), it’s becoming abundantly clear that the security actually governing the sector is little more than hot garbage. Whether it’s televisions that bleed unencrypted, recorded living room conversations, or refrigerators that expose your Gmail credentials, IOT developers were so excited to cash in on the brave new world of connectivity, security was an absolute afterthought. Entertainingly, that has resulted in many “smart” technologies being little more than advertisements for the fact that sometimes, it’s ok for your device to be as stupid as possible.
And while it’s annoying for your IOT toaster to be leaking login credentials or your new IOT toilet to be broadcasting bathroom habits on the Internet, when it comes to automobiles — human lives are at stake. And yet auto infotainment and network security is somehow the poster child for flimsy security practices. That was illustrated perfectly when hackers recently revealed that they were able to all-but take over some Chrysler cars from anywhere in the world provided they simply had the car’s IP address — allowing intruders to rewrite the firmware on the car’s head unit.
In that instance, Chrysler released a patch for the vulnerability before the research was even publicized, and quickly implemented a 1.4 million vehicle recall. But historically automakers aren’t that quick on their feet (nor are the vulnerabilities that publicized). Millions of GM vehicles, for example, suffered from a similar flaw that allowed hackers to effectively take over everything in the vehicle except for the steering. That particular problem, it was revealed this month, took GM the better part of five years to actually fix despite being a relatively low-tech hack:
“The intrusion technique began with a phone call to the Impala?s OnStar computer. Because Verizon?s voice network coverage was more reliable than its data network, the OnStar computers were programmed to establish a connection to any computer that played a certain series of audio tones, like an old-fashioned modem. UW?s Koscher reverse engineered that audio protocol and created an mp3 file that could trigger a vulnerability in the computer known as a ?buffer overflow.?
Put simply, ?you play this song to it, and the car?s taken over,? says UCSD?s Savage. From that initial audio attack, the attackers could pivot to take control of the OnStar computer?s higher-bandwidth data connection and finally penetrate the car?s CAN bus, the collection of networked computers inside a vehicle that control everything from its windshield wipers to its brakes and transmission. Put simply, ?you play this song to it, and the car?s taken over,? says UCSD?s Savage.”
And yes, while this vulnerability in question (which impacted the 2009 Chevy Impala) saw much less media coverage because the hackers didn’t publicly name the vehicle, the vulnerability still existed for any hacker or intelligence agency operative to play with at their leisure for half a decade. And while the hackers obscured the vehicle name with masking tape when demonstrating it repeatedly to “a wide variety of government and even military agencies” and the media (like in this 60 Minutes episode earlier this year), it likely wasn’t very hard to guess which car they were talking about. Meanwhile, what’s the over-under for local law enforcement accurately pinning the source of potential accidents on a vehicle’s compromised infotainment firmware?
The hackers are quick to downplay GM’s negligence here, but note that the company’s failures are a symptom of a much bigger disease:
“But the researchers argue that GM?s years-long failure to fully protect its vehicles from that attack doesn?t reflect on GM?s negligence, so much as a lack of security preparation in the entire industry of Internet-connected cars. Automakers five years ago simply weren?t equipped to fix hackable bugs in their vehicles? software, the way that Microsoft and Google have long fixed bugs within weeks or even hours after they are disclosed to them. And many of those companies may not be much better prepared today.
“They just didn?t have the capabilities we take for granted in the desktop and server world,? says Stefan Savage, the UCSD professor who led one of the two university teams who worked together to hack the Impala. ?It?s kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn?t a universal incident response and update system that exists.”
GM says that since this flaw was exposed, they’ve at least developed the ability to push over-the-air firmware updates to vehicles (though 90% of the time, even new vehicle updates require a user USB install or dealership visit). But the fact it took GM five years of hammering away at the exploit to fix it makes it abundantly clear that the auto-industry is out of its depth when it comes to securing its new generation gee whizzery. And if it took five years to develop a single fix for a single vehicle, just how long do we think it will take for the auto industry to overhaul its entire vulnerability response and reporting systems?
Filed Under: connected cars, patching, security, vulnerabilities
Companies: gm
Comments on “It Only Took GM Five Years To Patch Dangerous Vulnerability Impacting Millions Of Automobiles”
Is it just me that is really puzzled by how stupid these companies are? It seems really simple to me, the entertainment system and the car control system should be air gaped. There is no excuse to have these two systems talking to each other.
Even if you want to display diagnostic info, that should be setup as a very strict one direction messaging system. This whole idea of lets connect the dvd player to the accelerator is just stupid in so many different ways.
As for the onstar, I have always thought that system seemed creepy and I have zero interest in owning a car with that system on it. I do not trust a company enough to be handing over that level of control of my vehicle. The idea that someone in an office can push a button to unlock and crank my car…. No thank you.
Re: Re:
Air Gapping is simply not necessary, abstraction will generally be more than enough separation to separate systems in a secured manner.
However, Good security on these things are… companies are only interested in getting a product out as cheap as possible and would rather spend money on DMCA and Copyright measures to keep hackers out in vain attempts to keep their shitty as code work hidden from prying minds.
Re: Re: Re:
Connecting the entertainment system and the car control system is simply not necessary
ftfy
Re: Re: Re: Re:
You still seem to fail to understand my comment.
Air Gapping is a clear non-physical connection of the devices in question just to keep air between them. I am just saying the air-gap separation of devices in the vehicle does not have to go that far to keep them disconnected from each other.
As we advance in technology it will soon become a reality for devices to be merely in close proximity to a device not even capable of connecting to a remote device to actually receive unwanted interference. So yea, if the radio in the car can be properly compromised it could potentially be used to emit a signal of sufficient quality to alter the vehicles driving behavior even if the device receiving this interference was not even designed to intentionally receive it.
Re: Re: Re:2 Re:
and yeah – that should be stopped from happening
Re: Re: Re:2 Re:
There are proper screening techniques to prevent that happening, and for most things it is required by law, as it prevents signals getting out to interfere with other important things. You can even put a transparent tin coating on large glass surfaces, like the front of LCDs.
Re: Re:
Is it just me that is really puzzled by how stupid these companies are? It seems really simple to me, the entertainment system and the car control system should be air gaped. There is no excuse to have these two systems talking to each other.
Where does the one end and the other begin?
My car has two screens, a small one on the dashboard with basic diagnostic information, and large one off to the right with a touchscreen that handles entertainment, climate control, phone interface, and GPS.
The large one also displays the backup camera view when I put it in Reverse. The control system has to be able to talk to it to tell it when the car’s in Reverse, and also to tell it which way the wheel is turned so it can draw the curved guidelines, and to give it feedback from the collision sensors so it can incorporate that into the picture as well. The backup camera is a basic safety feature, and you really want it to be drawn on the large screen so you can see it clearly.
On the other hand, the one on the dash, that specializes in basic diagnostic info (odometer, fuel levels, maintenance warnings, etc.) will also display the distance to and direction of your next turn, when the GPS is active. It has to get that from the “entertainment system”. I’d categorize this as a safety feature too: it’s simpler and less distracting to glance down than to look off to the side, and when you’re driving on GPS guidance it’s because you already don’t know the route by heart, which means you need to be paying more attention to the road than usual.
You can’t put the GPS into the diagnostic system, though, because the complexity of entering a destination requires a relatively sophisticated input mechanism such as a touchscreen. And before anyone suggests that the GPS shouldn’t be integrated into the car’s computer at all, I’ve done the whole “external GPS unit” thing with rental cars, and it sucks. Aside from the usual difficulty mounting them so they’re 1) visible and 2) stable enough that they won’t fall off every time you brake or turn, when it’s not integrated with the car’s entertainment system, it can’t turn the radio down when it announces an upcoming turn.
So yeah, there are a lot of legitimate reasons for the two subsystems to be able to talk to each other that make the driving experience better and safer. Beware throwing the baby out with the bath water.
Re: Re: Re:
In order for them to share a single display device, the two systems need to be interconnected – got it.
Re: Re: Re: Re:
incorrect,
an interconnection of a pair of discreet devices is not required for a single display device to receive information or even interact with the systems separately but on the same display screen.
Re: Re: Re:2 Re:
That might have been sarcasm you responded to – just sayin’
Re: Re: Re:
Argh, apparently somehow I messed up a blockquote there. Techdirt, please add an Edit functionality like every other site everywhere…
Re: Re: Re:
No, it isn’t just you. There is some sort of broken mentality culture where morons make critical systems and infrastructure accessible over public IP networks. Then there is decades of hand-wringing and power and authority grabbing and privacy smashing so governments and corporations can produce a little theatre about making you safer instead of doing the one sensible thing and disconnecting that which never should have been connected in the first place, whether it is you car, or SCADA systems, or secret/private/sensitive data servers.
And if you have one half-decent developer and a management that does not contradict them, you wouldn’t have such idiotic security flaws in the first place. It’s like they go out of their way to make these systems vulnerable in ways the most moronic author of tech-in-fiction could not possibly make up.
Re: Re: Some things shouldn't be automated.
Reading this, I’m thinking more the users. What you’ve just described is the natural progression of replacing manual transmission with automatic transmission. Why? Users are often too lazy and impatient to learn complex skills, such as driving a car using both hands and both feet and both eyes, not to mention ears and touch and feeling centrifugal forces acting upon their body, all in constant balance and communication using one’s brain.
To simplify, think about the spacial orientation skills needed to use rear and side view mirrors in conjunction with all those other skills of controlling a vehicle, but in reverse. Too many potential drivers found that operation far too difficult and time consuming to learn, so now we have a TV and cameras and proximity detectors built in so the driver doesn’t need to learn how to drive backwards using mirrors. Now, they rely on magic bullets instead. It only costs $30k/vehicle to implement and doesn’t work very well, but people hate learning to do the alternative so it’s worth it to them.
Stunning. I’d always wondered where the impetus for this stuff was. This is what happens when you overdose on George Jetson at a young age. Thanks for explaining it so well.
Re: Re:
Yep except GM hated aftermarket stereos replacing their junk and this was a method they chose to prevent that. Integrate everything into it.
That’s actually quite impressive, given it’s been decades and they still haven’t made an automobile worth owning.
The Answer!!!
just how long do we think it will take for the auto industry to overhaul its entire vulnerability response and reporting systems?
Is Never, unless you make it a law, business will never do it. I am not saying that a law should be made either, but I am also the type that thinks we need to remove all of the warning labels off shit and let people just be take advantage of relentlessly. Foolishness should legally be its own reward!
I remember back in high school, there was a joke going around:
Suddenly that joke’s a lot less funny.
Re: Re:
I previously had an Acura TSX (original 2004 model).
The computer failed to start at least 20 times in the 11 years I had it.
The solution? Reboot the car.
??? If you don't like this, then why the hell are you wanting to allow modifications to it?
“human lives are at stake” — Yes, as I wrote when you kid were whining that GM and John Deere are locking up code by copyright!
This cannot be squared with your prior articles except that the underlying purpose is gives you way to attack copyright and thereby an article.
There’s no baby to be thrown out here, just unnecessary hazards.
No sane person wants a car computer to be modifiable, nor to have ANY external input. Should at most have an output only port just constantly repeating diagnostics, not even on demand. Any changes require physical replacement. — And it shouldn’t do much in first place! Just replace a few functions difficult to do mechanically. Weenie-ing is not necessary, can’t do magic of making an Impala get 100 miles per gallon.
You kids do know that “Onstar” and most modern cars have radio-activated kill switches, right? You don’t own cars anymore, the state does. — You don’t even rail at the imminent surveillance / control by “IOT”, just want to sit and watch stolen entertainments.
Attempt # 6! Techdirt tries and fails to keep me out! How can the IOT ever be safe?
Re: ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
I want my car to take input from my phone (hands-free calling and text message-reading) and from any USB device I plug in that contains music.
I also want to be able to write a simple app to run on my car’s computer, so that when it starts up and scans automatically for the phone it’s expecting to pair up with, if it doesn’t find it, it will sound an alert on the speakers and flash a warning at me. This will keep me from accidentally forgetting and leaving my phone at home, which occasionally happens.
Am I insane for wanting either of those things?
Re: Re: ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
I want my car to take input from my phone (hands-free calling and text message-reading) and from any USB device I plug in that contains music.
Off-topic, but Mason, have you ever considered a carpc?
Don’t need anything integrated into the car bus network, just a simple carpc that runs Linux, has bluetooth and does everything you want. Car already supplies 12v DC on the accessory or radio power wire, and getting a 12v DC power supply is far cheaper than an DC/AC/DC converter.
Unfortunately, they aren’t cheap, but they are getting far cheaper now that miniitx boards are getting cheaper and the components are getting more standardized (I still hate buying memory for them though…since it is always a crapshoot on how tall the memory will be to fit in one of these things. My first carpc was about $1000, but they are getting cheaper…only big issue now is the price of the DIN case, but you can always mount the computer under a chair or behind the control panel and leave the radio in the car if you want to still have access to that.
Re: Re: Re: ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
Sounds interesting, but see my big comment above. Having the car’s computer able to run both the entertainment system and the GPS means that the GPS can “interrupt” the radio when it’s time to read a turn to you. This might not seem like a big deal, but trust me, when you’ve experienced GPS navigation both with and without that feature, you really notice the difference.
Re: Re: Re:2 ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
The GPS, like the entertainment system has no need to talk to the car controls, and can be considered part of the entertainment system, as can any blue tooth connection to phones etc. If it is desirable for the car control system to interrupts the entertainment system, it can use a relay to switch is power or speaker connections.
Re: Re: ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
My car actually has a “Connecting to …Connected” message when I start it. I almost forgot my phone a couple times, but then it never connects so I turn around and go 50 feet back home.
Re: ??? If you don't like this, then why the hell are you wanting to allow modifications to it?
I do want yes. As long as these modifications can only be made by physical contact when you are dealing with mechanic parts. It can be done over the air for the radio I guess (and the radio should NOT be connected to the primary car functions).
> GM says that since this flaw was exposed, they’ve at least developed the ability to push over-the-air firmware updates to vehicles …
… thus turning a security flaw into a feature!
Re: Re:
turning it into a bigger security flaw and probably edging toward removing the ability to update as a user sees fit after reviewing at least the stated nature of the patch.
All are la e with updates except ...
Tesla was advised of a vulnerability once, all vehicles were updated by the end of the week … I think BMW and Mercedes have a similar push update mechanism now on the new models. Domestic brands as usual sees what the other guys do then thinks about it. Hardly leads in anything much less provide quality products on par with imports which are manufactured domestically …
and these are the people who are going to drive my car for me in the near future?
GM Hacks Itself!
Hey Karl you left out the scariest part! From the Wired article:
Think about that! GM was able to hack its own cars in order to deliver an update over the Internet! If GM could do that to deliver a legitimate patch so can any hacker worth their salt to surreptitiously deliver changes to a car’s computing system that would benefit the hacker!
The fact that GM will say little about that “clever hack” suggests the hack itself may still exist. If so what’s the betting that there are now hackers out there trying their darnedest to find and exploit it themselves?
Re: GM Hacks Itself!
Wow.
Yeah, that’s major o_0 material. Agreed that it should have been in the article!
Re: GM Hacks Itself!
The fact that GM will say little about that “clever hack” suggests the hack itself may still exist.
Or not. Maybe they patched it to clear this hack as well. Reminds me of a few viruses that once inside they take precautions to avoid further infections by ‘competing’ ones such as updating Windows and turning firewalls and everything else on.
its reasons such as this why i will never be owning a new car with any iot in it
I find it funny that it’s being called a bug , The car companies know exactly what they’re doing
Example , Hey Dealer #1 your sales are down send out some false flags so you can meet your monthly quota.
Seems like a huge CYA or plea for work, not only downplaying GM’s negligence (they weren’t equipped, bullshit) but also making concerns like MS seem as though they were smart or quick to patch anything. It is to laugh.
So, they claim you can’t tinker with the software on your car because of copyrights, they add up the EPA claiming it’s because of contamination or safety.
Now, there is a vulnerability that took 5 years to fix, that could have brought a lot of “safety issues”.
You see, they don’t want to take away the ability to modify your car. That’s where we are derailing the issue.
They want to take away from you the ability to even repair your own car. You see, some computers require resetting after a component is changed. Now, if you can’t even reset your computer, it means that you can’t repair your car and that you will have to take it to a workshop licensed by GM to do so.
I hope at least that you are able to change your tires or to fill the water tank.
PS: want a good scheme? First you make it so that people can’t touch their car’s computer. Afterwards, you hire someone to hack those cars on the fly and to mess with the computer, making it so that the car won’t move.
Result: profit! The car will be taken to the closest workshop to get it fixed.
The first thing I do is disconnect all the antennas in the cars I buy. Some might say this is ‘tinfoil hat’ territory. But when people’s lives are on the line, I say better safe than dead.
I see the purpose now of wanting to own an old car.
At least the car is yours, and you control what it does.
The ’60 Minutes’ viddy says it all.
And that's why...
And that’s why I’m keeping my ’78 Datsun 210 hatchback running as LO-O-O-O-O-O-O-O-O-ONG as possible.
Also, did anyone else think of Micheal Hastings?
Slow going
Does anyone remember that GM ad where they were tooting their own horn about implementing daytime running light? They were bragging that it took 10 years and millions of dollars of research.
This was pre-bankruptcy, when GM was at their zenith of incompetence. I think mid 1990’s or so.
I remember watching that ad and my jaw hit the floor. The US Army managed to invent and deploy an atomic bomb in 4 years. We managed to get to the moon in less time.
I remember thinking to myself “It look 10 years and millions of dollars to figure out how to leave a light switch on? And you want to brag about that?”.
I was embarrassed for them.
If anyone knows a YouTube video of that ad, I would love a link.
“…Millions of GM vehicles, for example, suffered from a similar flaw that allowed hackers to effectively take over everything in the vehicle except for the steering. That particular problem, it was revealed this month, took GM the better part of five years to actually fix despite being a relatively low-tech hack:…”
So can we also control the steering now?