Researchers at the University of California at San Diego and the University of Washington found a way to hack OnStar computers and take almost total control of GM vehicles. The research team privately disclosed the results to the National Highway Traffic and Safety Administration and to GM, yet it took the motor company nearly five years to fully protect vehicles from the hacking technique.
“We basically had complete control of the car except the steering,” says Karl Koscher, one of the security researchers who helped to develop the attack. “Certainly it would have been better if it had been patched sooner.”
Koscher was able to connect to an OnStar system through Verizon's voice network and reached an audio tone that the computer played. Koscher reverse engineered the sound and was able to create an mp3 file that could overflow the computer with data when it heard the tone.
GM tried multiple times to fix the hack, but measures failed due to technical issues between Verizon networks and OnStar computers.
However, researchers say it's not all GM's fault it took so long to patch an update.
"They just didn't have the capabilities we take for granted in the desktop and server world," says Stefan Savage, the UCSD professor who led one of the two university teams who worked together to hack a 2009 Chevrolet Impala. He continued saying that the whole industry of Internet-connected cars had similar vulnerabilities in security.
"It's kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn't a universal incident response and update system that exists," Savage says.
GM chief product cybersecurity officer Jeff Massimilla says that performing the cellular update on five-year-old OnStar computers required some sort of clever hack. “We provided a software update over the air that allowed us to remediate the vulnerability,” Massimilla writes in an email. “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”
But Massimilla also admits that GM took so long to fully protect its vehicles because it simply wasn’t ready in 2010 to deal with the threat of car hackers. He contrasts that response to GM’s cybersecurity practices today, such asissuing a fix in just two days when it was alerted to a flaw in its iOS OnStar app in July. “The auto industry as a whole, like many other industries, is focused on applying the appropriate emphasis on cybersecurity,” he writes. “Five years ago, the organization was not structured optimally to fully address the concern. Today, that’s no longer the case.”
Koscher was able to publicly display the possibilities of a car hack on an episode of 60 Minutes, which aired in February of this year.
Sign Up
