It Only Took GM Five Years To Patch Dangerous Vulnerability Impacting Millions Of Automobiles
from the good-job dept
And while it's annoying for your IOT toaster to be leaking login credentials or your new IOT toilet to be broadcasting bathroom habits on the Internet, when it comes to automobiles -- human lives are at stake. And yet auto infotainment and network security is somehow the poster child for flimsy security practices. That was illustrated perfectly when hackers recently revealed that they were able to all-but take over some Chrysler cars from anywhere in the world provided they simply had the car's IP address -- allowing intruders to rewrite the firmware on the car's head unit.
In that instance, Chrysler released a patch for the vulnerability before the research was even publicized, and quickly implemented a 1.4 million vehicle recall. But historically automakers aren't that quick on their feet (nor are the vulnerabilities that publicized). Millions of GM vehicles, for example, suffered from a similar flaw that allowed hackers to effectively take over everything in the vehicle except for the steering. That particular problem, it was revealed this month, took GM the better part of five years to actually fix despite being a relatively low-tech hack:
"The intrusion technique began with a phone call to the Impala’s OnStar computer. Because Verizon’s voice network coverage was more reliable than its data network, the OnStar computers were programmed to establish a connection to any computer that played a certain series of audio tones, like an old-fashioned modem. UW’s Koscher reverse engineered that audio protocol and created an mp3 file that could trigger a vulnerability in the computer known as a “buffer overflow.”And yes, while this vulnerability in question (which impacted the 2009 Chevy Impala) saw much less media coverage because the hackers didn't publicly name the vehicle, the vulnerability still existed for any hacker or intelligence agency operative to play with at their leisure for half a decade. And while the hackers obscured the vehicle name with masking tape when demonstrating it repeatedly to "a wide variety of government and even military agencies" and the media (like in this 60 Minutes episode earlier this year), it likely wasn't very hard to guess which car they were talking about. Meanwhile, what's the over-under for local law enforcement accurately pinning the source of potential accidents on a vehicle's compromised infotainment firmware?
Put simply, “you play this song to it, and the car’s taken over,” says UCSD’s Savage. From that initial audio attack, the attackers could pivot to take control of the OnStar computer’s higher-bandwidth data connection and finally penetrate the car’s CAN bus, the collection of networked computers inside a vehicle that control everything from its windshield wipers to its brakes and transmission. Put simply, “you play this song to it, and the car’s taken over,” says UCSD’s Savage."
The hackers are quick to downplay GM's negligence here, but note that the company's failures are a symptom of a much bigger disease:
"But the researchers argue that GM’s years-long failure to fully protect its vehicles from that attack doesn’t reflect on GM’s negligence, so much as a lack of security preparation in the entire industry of Internet-connected cars. Automakers five years ago simply weren’t equipped to fix hackable bugs in their vehicles’ software, the way that Microsoft and Google have long fixed bugs within weeks or even hours after they are disclosed to them. And many of those companies may not be much better prepared today.GM says that since this flaw was exposed, they've at least developed the ability to push over-the-air firmware updates to vehicles (though 90% of the time, even new vehicle updates require a user USB install or dealership visit). But the fact it took GM five years of hammering away at the exploit to fix it makes it abundantly clear that the auto-industry is out of its depth when it comes to securing its new generation gee whizzery. And if it took five years to develop a single fix for a single vehicle, just how long do we think it will take for the auto industry to overhaul its entire vulnerability response and reporting systems?
"They just didn’t have the capabilities we take for granted in the desktop and server world,” says Stefan Savage, the UCSD professor who led one of the two university teams who worked together to hack the Impala. “It’s kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn’t a universal incident response and update system that exists."