Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Transportation IT

GM Performs Stealth Update To Fix Security Bug In OnStar 91

An anonymous reader writes: Back in 2010, long before the Jeep Cherokee thing, some university researchers demonstrated remote car takeover via cellular (old story here). A new Wired article reveals that this was actually a complete exploit of the OnStar system (and was the same one used in that 60 Minutes car hacking episode last year). Moreover, these cars stayed vulnerable for years -- until 2014, when GM created a remote update capability and secretly started pushing updates to all the affected cars.
This discussion has been archived. No new comments can be posted.

GM Performs Stealth Update To Fix Security Bug In OnStar

Comments Filter:
  • The only fix... (Score:5, Insightful)

    by Anonymous Coward on Thursday September 10, 2015 @11:58AM (#50496081)

    The only fix for the security problems with Onstar and any similar system is total removal of the hardware and software!!!!!

    • by Anonymous Coward

      What you propose is at variance with how the market works.

      People will get upset every time an exploit is found. The vendor will give assurances that the problem has been fixed (whether it has or not), and business will proceed as usual.

      You can pound your fist and say it shouldn't be that way all you like. But it is that way. All you can really do is figure out the best way to adapt to it.

      Trying to control the world will only bring you stress.

      • by Anonymous Coward

        So far it hasn't. However, if OnStar does get hacked, it might be something large enough to change the psyche of consumers here in the US.

        Doesn't take much. Hurricane starts to bear down on a coastal city. Evacuation starts. Bad guy logs on, disables one set of cars leaving. When those are starting to get towed, he disables another set of vehicles. Or he just kills all OnStar-linked vehicles and drops the network by purging some core router configs and changing uplink passwords. Now the hurricane is

      • The challenge here is that many people will continue to make this defeatist argument until something very, very bad happens, because most people are not good at evaluating the risk from rare but extremely damaging events. Regulators should be stepping in to control the world of the auto manufacturers until they get their house in order on this one, because unfortunately, unlike most of the security theatre we see in the modern world, mass casualties due to compromised auto software is actually a credible ri

        • by mlts ( 1038732 )

          The problem is that nobody gives a rat's ass until people wind up dying on a massive scale, as in the hundreds to thousands. Even hacking a jetliner isn't going to do the trick because people are starting to get used to them being dropped out of the sky.

          The biggest issue is the perception that "security has no ROI", combined with "the hackers can get us no matter what we do". Both are BS. If one looks at physical security, even the liquor store in the no-man's-land neighborhood has more than adequate phy

          • The problem is that nobody gives a rat's ass until people wind up dying on a massive scale, as in the hundreds to thousands.

            Isn't the real problem that in this case that might actually happen? A few posters right here in this discussion have already described some very nasty scenarios that could have that kind of result, and the necessary proofs of concept have already been demonstrated, which is why we're having today's discussion in the first place.

            All too literally, the only thing protecting us from this kind of attack right now is the blessing that there aren't yet very many people in the world with all of the knowledge, the

            • by mlts ( 1038732 )

              Pretty much. We have enough good people out there that act as goalie, preventing a lot of disasters. However, this is only a matter of time before we get an attack that is a perfect storm where the good guys were not able to stop it.

              In the past, we have had two groups: People who had the will do do harm, and would do anything to do it, and people who had the way and knowledge to do harm... but who were not into hurting people as their primary reason of existing. However, as things change, we are startin

        • Oh no! More regulations? Are you a communist?!?! Bwahahaha

    • Re:The only fix... (Score:4, Interesting)

      by cayenne8 ( 626475 ) on Thursday September 10, 2015 @12:06PM (#50496161) Homepage Journal

      The only fix for the security problems with Onstar and any similar system is total removal of the hardware and software!!!!!

      Or at least the car manufacturers should give the purchaser the OPTION on whether to have this hardware/software installed or not.

      It used to be an "option"...why did it become now a standard fixture. Sadly it seems these systems are so integrated now, you can't keep the car functioning without them.

      It should be a modular thing that you can request to have or not have....

      Are there any good ways to disable OnStar and the Uconnect apps, and prevent them from communicating wirelessly at least?

      • by Archangel Michael ( 180766 ) on Thursday September 10, 2015 @12:16PM (#50496269) Journal

        OnStar is GM's version of ongoing revenue stream from previous customers.

      • by Anonymous Coward

        Find and remove antenna feed.

      • by Qzukk ( 229616 )

        that you can request to have or not have

        Last time I went to buy a car (2010) I was told by two different dealerships (Hyundai and Ford) that requesting anything was no longer "a thing" (though I could buy an aftermarket radio upgrade at full price plus installation and no, they won't deduct the cost of the basic radio from the car). You can't even ask for them to get a car in a certain color (in my case, silver, not some freaky special order limited edition "burnt yellow ice" or whatever). You can buy wha

        • Re:The only fix... (Score:4, Informative)

          by cayenne8 ( 626475 ) on Thursday September 10, 2015 @12:40PM (#50496489) Homepage Journal

          Last time I went to buy a car (2010) I was told by two different dealerships (Hyundai and Ford) that requesting anything was no longer "a thing" (though I could buy an aftermarket radio upgrade at full price plus installation and no, they won't deduct the cost of the basic radio from the car). You can't even ask for them to get a car in a certain color (in my case, silver, not some freaky special order limited edition "burnt yellow ice" or whatever). You can buy what they've got on their lot or you can take your money and shove off. Ended up buying a Honda (they had a silver car in stock, so I don't know if they'd have stonewalled me as well).

          Wow..that's strange. I mean, on both the Ford and Hyundai websites, you can select and build out any model of their car offerings you want.....

          I know they want to sell you one from stock, but as far as I know, choosing your car model, color and whatever options are available (some cars do have very limited options, but others have more) is still in the cards for most car shoppers.

          It is just the wireless, phone home control centers in cars that I don't want....hell, I'd actually prefer mechanical analog gauges....one less thing to break due to some electrical gremlin....

          • Re:The only fix... (Score:4, Informative)

            by gweilo8888 ( 921799 ) on Thursday September 10, 2015 @12:49PM (#50496565)
            Choosing your own color and options is still perfectly feasible. Choosing a car without the potential of a built-in ongoing revenue stream, sadly, is not. And that goes for both OnStar *and* Sirius, both of which I would personally prefer not to have in my next vehicle -- but short of choosing an awful econobox that I dislike in every way, forgoing those unwanted add-ons simply isn't possible any more.
            • by jandrese ( 485 )
              Satellite Radio is pretty easy to avoid though. Just don't subscribe and leave your head unit in AM/FM mode. The only annoyance is having to cycle through the Satellite Radio input when switching between USB/CD/AM/FM modes. One whole extra button push. Worst case is that if you accidentally push the mode button one too many times you hear the canned "please buy our overpriced ClearChannel rebroadcast" message for a second and have to go around again.
              • by afidel ( 530433 )

                Wow, I didn't know there was a more stripped down head unit with Sirius than my Chrysler non-display unit. Even my el-baso model has separate buttons for SAT,AM/FM, CD, and BT/AUX

                • by jandrese ( 485 )
                  It has those too, but you have to take your eyes off of the road to use them, so people use the steering wheel buttons to choose the mode instead. The steering wheel only has the "next input" option.
              • Well, sure -- that's the only annoyance if you ignore the fact that you're being forced to pay to subsidize a feature you will never EVER use. I know for a fact I will never pay one cent to Sirius, because I'm not paying for a service which still rams commercials and paid product placements down my throat. However, I think we can both agree that Sirius, not being a charity, is most certainly not covering the entire added cost of the satellite radio-specific components that were added to the bill of material
                • While there is some truth to that...

                  There is also truth to the fact that building the same car, one with sat radio and one without, can actually cost more than just building them all with it...

                  It costs money to change the configuration, to have different parts on hand, to have 2 build sheets in the factory...

                  What does it really cost to add sat radio to a car? A few dollars? The radio itself is just a computer these days, that is software so the cost is developing the software, not installing it. Then you

                  • Which doesn't even remotely change the fact that there is an added cost. Your argument is simply that you can't *remove* the part again to get the cost back -- to which I say that you're looking at the situation back to front. The features add cost; that cost should be borne solely by those who want the features. What you *meant* to say was that it would have been more expensive to add the feature to those cars where customers wanted it, rather than adding it to all of them -- and that's the correct way to
                    • Ok, so you'd like your $3 back that sat radio added to the cost of your car?

                      Fair enough, if you made that a condition of the sale, I'm sure the sales manager would take $3 out of his pocket and hand it to you to close the sale.

                      You're leaping over dollars to pickup pennies, sat radio adds a trivial cost to the price of your car. That is why it has become all but standard in just about everything these days, other than $11k econoboxes.

          • by Anonymous Coward

            Absolutely! If an electric clock cannot withstand 10-15 years of use (one in my Honda, the other in my Toyota), I can't image the fun the electrical gremlins will have with an electronic dash. Will be interesting to see how many 'modern' cars can last 20-30 years and how the electronic dash fairs.

            • by Anonymous Coward

              I can give you some foresight, a family member has a 2003 truck with an electronic gremlin. The electronics think there is a problem with the engine even though there isn't so it kicks the throttle into an "emergency mode" once in a while that doesn't allow you many more RMPs than an idle, at least until you pull over and turn the key off for a few minutes. A month or so back things started to get real interesting, now it doesn't always recognize what gear you're in so the door locks will engage/disengage

            • Insurance companies generally total any car older than 10 year who's airbags deploy. Which usually ends the car.

              Only going to get worse with 12 airbags. I'm betting a full airbag deploy on one of those 3 years old is 'totaled'.

          • by Qzukk ( 229616 )

            I mean, on both the Ford and Hyundai websites, you can select and build out any model of their car offerings you want

            Maybe its a Texas "Independent Dealer" thing. I just punched in my zipcode on the Hyundai website, selected a Sonata and built it out and at the end it gives me an "inventory search" button and tells me there's a dealer with that color and package 15.66 miles away. I picked a different Sonata in "lakeside blue" and got to the end and the inventory search told me there were none available

        • by mlts ( 1038732 )

          The ironic thing is when I went with a friend of mine who was looking at a Ford, the Ford rep confirmed that nothing on the lot would work (and other dealerships didn't have the configuration needed), and offered to have it built to order from a spreadsheet with the list of options. The price was well under MSRP as well.

          I'd probably say the sales rep or the dealer was full of it, and just were wanting to move inventory as opposed to make sales.

          One trick I learned (as a rule of thumb) is to find more rural

        • I recently (5 months ago) bought a new Mustang. I went in, ordered the color and options I wanted, spec'd it out, haggled on the price - and 40 days later it showed up as I ordered, and my payments began. Pretty simple! Now, not all dealers want to do custom orders because they have inventory they want to clear - but you can order.
        • by Lumpy ( 12016 )

          This is why I buy BMW. I can request everything and even pick it up in Germany at the plant, drive it around the Ring a few times and then they will ship it to the USA for me for it to arrive when I arrive back in the states.

          Cadillac and Lincoln? they don't give a rats ass about the customer, and that is why they are both at the bottom of the heap for luxury car sales.

        • Last time I went to buy a car (2010) I was told by two different dealerships (Hyundai and Ford) that requesting anything was no longer "a thing"

          Then you need to find a new dealership...

          When I ordered my 2015 GMC Yukon XL, I sat down with the dealership's order guy and we went through the order form on the computer together, picking out the exact options and order codes that I wanted. It was easy since I had already looked up online what I wanted and had that info with me.

          6 weeks later, the truck showed up at the dealership, just as ordered, and they sold it to me for the price we agreed on at the time I ordered it (about $750 below dealer invoice)

    • by Anonymous Coward

      Or at the very least physically disable its ability to wirelessly communicate with any outside system by destroying/disabling the hardware/antennas.

    • Already did it about the same time I bought the car. It's useless crap really.

    • rolling updates sound like a good idea. Software can no longer afford to be static. It needs to roll with the punches of exploits and support updates out in the field at a moments notice.
      • Software can no longer afford to be static. It needs to roll with the punches of exploits and support updates out in the field at a moments notice.

        Or we could just, y'know, not connect every essential system in the universe to arbitrary remote devices, some of which will inevitably be compromised or otherwise hostile.

        Watching the train wreck we're calling the Internet of Things is like watching cloud computing all over again but ten times worse. It seems the manufacturers can't get enough of it because of the hype train and so most of their customers get on board as well, even though they don't really know whether there's anything in it for them or ha

    • The only fix for the security problems with Onstar and any similar system is total removal of the hardware and software!!!!!

      Although true, it's probably not what GM wants. The easiest way to fix while keeping the product alive this is to stop remote updates. It should be an active decision to update your car the same way it is for updating a NAS or SCSI controller firmware.

      In addition, there should be a disconnect between the entertainment system and the car's operating functions. I don't understand why the same computer needs to handle both work loads as they do not cross over in functionality or need.

      • I don't understand why the same computer needs to handle both work loads as they do not cross over in functionality or need.

        There is a half-truth here.

        The underlying problem is that a lot of the electronic systems within most modern cars probably communicate using an insecure channel. The systems were designed with the assumption that the other devices on the same bus were trustworthy. And of course, they typically were, before remote access came along.

        Today that assumption no longer holds, but a lot of systems that seem unrelated do actually have genuine reasons to interact to some degree. For example, consider a modern system

        • I agree with everything you said except that it doesn't explain the connection between the systems

          However, that system needs to know whether a crash has occurred, and how is it going to do that? It needs access to some sort of sensor, but by its nature that same sensor is probably also used by some of the other modern systems that provide collision avoidance/mitigation features. Bang, now you've a link between a system that has remote communication capabilities and a system that has a need for direct control of essential vehicle systems.

          This is a problem that is easily solved by providing read only access to sensor data. There is no reason for the external communication systems to allow write operations of any sort.

          • This is a problem that is easily solved by providing read only access to sensor data. There is no reason for the external communication systems to allow write operations of any sort.

            Absolutely true, but unfortunately a lot of cars shipping today have a CAN bus architecture that can't make that distinction, and the components communicating via the bus aren't set up with the necessary security in mind either. That's a large part of the problem here.

    • by Lumpy ( 12016 )

      You are incorrect, it is very simple to make 100% secure.

      you find the Onstar antenna wire, and remove it from the telemetrics module.

      Honestly in today's world only a fool wants onstar. you have a freaking cellphone in your hands, your infotainment system can use BT tethering to get any data. Why the car needs it's own connection is utterly insane.

      And yes, I know remote unlocking from the onstar service, sorry but if you lock your keys in the car on a regular basis, you deserve to have to pay for a new win

  • by the_skywise ( 189793 ) on Thursday September 10, 2015 @12:05PM (#50496139)

    Did it install Windows 10?

  • Not touched upon in the story is that the update also included a stealth download of systemd.

  • by account_deleted ( 4530225 ) on Thursday September 10, 2015 @12:24PM (#50496361)
    Comment removed based on user account deletion
    • my 2001 crown victoria police interceptor has been modified slightly to emit a protective haze of burnt oil to stealthfully evade hackers. Whats more, the suspension has been recalibrated to bob and duck at the slightest bump, and shake violently at speeds above 40 miles per hour in an attempt to elude hackers signals. Finally, I use crippling student debt technology to ensure that flipping on my dome light and barking orders to OnStar does virtually nothing to the vehicle. For added protection, you can put the car into 'stealth mode' if you have an arts degree by avoiding oil changes and fuel in exchange for more ramen this month.

      Does the cigarette lighter work?

  • by sinij ( 911942 ) on Thursday September 10, 2015 @12:27PM (#50496387)
    This glacial speed of fixing critical bugs demonstrates that automotive industry cannot be trusted with networking anything.
    • Can any company be trusted?
      • by sinij ( 911942 )

        Can any company be trusted?

        No, but how likely is your compromised smart TV is going to be used to kill you?

        • by Lumpy ( 12016 )

          Quite high.

          Kiddie calls a SWAT on your home.
          Kiddie makes your smart TV switch to a video of a violent scene that matches the call and turns the volume up to 90%.

          Swat team kills you, see's it 's just the TV, then kills your family and dog out of spite.

  • by Anonymous Coward

    "Created a remote update capability" by exploiting the very same bug.

  • by beschra ( 1424727 ) on Thursday September 10, 2015 @12:34PM (#50496443)

    From GM chief product cybersecurity officer Jeff Massimilla:

    “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”

    They hacked it so they could hack it. I'm glad GM has my back.

    • Missed the most important quote somehow:

      “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”

      • And without authorization from the owner of the car, or notification it was being done.

        So, violation of the computer fraud and abuse act?

        Sure sounds like hacking to me. Oh, but it's a corporation, so it's OK.

  • That's pretty laden with strong, negative emotional connotations. What's the justification?

    Why not just read it as they started quietly pushing updates?

    • Quietly: suggests caution, or even wisdom, due to security and safety concerns
      Secretly: suggests a pure profit motive. Avoid scaring people so they keep buying our cars

      The full story is probably a mix of the two.

      • by Nutria ( 679911 )

        Nutria's corollary to Hanlon's Razor: never ascribe to malice what can adequately be ascribed to bureaucracy.

        IOW, they certainly wondered why they needed to send out millions of post cards (which is how auto companies communicate with their users) when just fixing the problem is so much simpler.

  • I didn't know stealth was an available upgrade, not sure how I'd use it accept to avoid speeding tickets.... Oh wait....

  • I'm getting sick and tired of this. The stuff that so many engineers and technical people have been touting for so many years is happening right before our eyes. I'm still waiting for the phone armageddon which is already happening with so many phones being hacked (Even your old phone won't help you here with the baseband exploits). Pretty soon we'll be tossing all our phones in the garbage.

    These people touting the exploits end up getting laughed out of IEEE conferences by manufacturers and their butt bu
  • Secretly pushing updates is absolute BULLSHIT
  • by ShaunC ( 203807 ) on Thursday September 10, 2015 @01:30PM (#50497013)

    As someone who drives a GM car that came with an OnStar antenna, a rearview mirror full of OnStar buttons, and an OnStar free trial... How do I determine whether or not my car is vulnerable? Whether it received the patch? Which generation of OnStar my car has?

    I haven't had anything to do with OnStar since I was driving down the interstate and suddenly received a loud and unexpected phone call from a fucking OnStar telemarketer. My trial, which came with the car and which I hadn't used, was about to expire, so they decided to make a sales call. To my car. While I was driving. Out of nowhere, the car muted the radio, made some very loud dinging noises, and started blasting an unknown woman's voice over the stereo system while I was driving down the highway. She's asking me if I want to sign up for OnStar at such and such monthly rate. I have never been so distracted by anything while behind the wheel of a car, and vowed never to use any OnStar service again.

    I'd just like to know whether or not the OnStar in my car, which I had hoped was disabled after not paying for it, will attempt to kill me again.

    • by sinij ( 911942 )
      It is still there, vulnerabilities and all, and they are still using it to collect information about you.
    • by sjames ( 1099 )

      You will need to pull the fuse or disconnect the communication module. Otherwise, it is still vulnerable to hacking and/or (probably) a FISA rubber stamp.

    • by Lumpy ( 12016 )

      all of them have problems, disconnect the onstar antenna from the module and stop worrying.

  • Onstar is easily compromised vial MTM attack and has been for 2 decades now. They need to give it decent encryption and allow the car owners to set passwords/pin numbers in the car system themselves that the car will ignore all communication attempts without it.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...