Slashdot Mirror

← Back to Stories (view on slashdot.org)

GM Performs Stealth Update To Fix Security Bug In OnStar

Posted by timothy on from the just-trust-us dept.

An anonymous reader writes: Back in 2010, long before the Jeep Cherokee thing, some university researchers demonstrated remote car takeover via cellular (old story here). A new Wired article reveals that this was actually a complete exploit of the OnStar system (and was the same one used in that 60 Minutes car hacking episode last year). Moreover, these cars stayed vulnerable for years -- until 2014, when GM created a remote update capability and secretly started pushing updates to all the affected cars.

91 comments

  1. The only fix... by Anonymous Coward · · Score: 5, Insightful

    The only fix for the security problems with Onstar and any similar system is total removal of the hardware and software!!!!!

    1. Re:The only fix... by cayenne8 · · Score: 3, Interesting

      The only fix for the security problems with Onstar and any similar system is total removal of the hardware and software!!!!!

      Or at least the car manufacturers should give the purchaser the OPTION on whether to have this hardware/software installed or not.

      It used to be an "option"...why did it become now a standard fixture. Sadly it seems these systems are so integrated now, you can't keep the car functioning without them.

      It should be a modular thing that you can request to have or not have....

      Are there any good ways to disable OnStar and the Uconnect apps, and prevent them from communicating wirelessly at least?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    2. Re:The only fix... by Anonymous Coward · · Score: 1

      Or at the very least physically disable its ability to wirelessly communicate with any outside system by destroying/disabling the hardware/antennas.

    3. Re:The only fix... by Archangel+Michael · · Score: 3

      OnStar is GM's version of ongoing revenue stream from previous customers.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    4. Re:The only fix... by Anonymous Coward · · Score: 1

      Find and remove antenna feed.

    5. Re:The only fix... by Virtucon · · Score: 1

      Already did it about the same time I bought the car. It's useless crap really.

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
    6. Re:The only fix... by Qzukk · · Score: 1

      that you can request to have or not have

      Last time I went to buy a car (2010) I was told by two different dealerships (Hyundai and Ford) that requesting anything was no longer "a thing" (though I could buy an aftermarket radio upgrade at full price plus installation and no, they won't deduct the cost of the basic radio from the car). You can't even ask for them to get a car in a certain color (in my case, silver, not some freaky special order limited edition "burnt yellow ice" or whatever). You can buy what they've got on their lot or you can take your money and shove off. Ended up buying a Honda (they had a silver car in stock, so I don't know if they'd have stonewalled me as well).

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    7. Re:The only fix... by cayenne8 · · Score: 3, Informative

      Last time I went to buy a car (2010) I was told by two different dealerships (Hyundai and Ford) that requesting anything was no longer "a thing" (though I could buy an aftermarket radio upgrade at full price plus installation and no, they won't deduct the cost of the basic radio from the car). You can't even ask for them to get a car in a certain color (in my case, silver, not some freaky special order limited edition "burnt yellow ice" or whatever). You can buy what they've got on their lot or you can take your money and shove off. Ended up buying a Honda (they had a silver car in stock, so I don't know if they'd have stonewalled me as well).

      Wow..that's strange. I mean, on both the Ford and Hyundai websites, you can select and build out any model of their car offerings you want.....

      I know they want to sell you one from stock, but as far as I know, choosing your car model, color and whatever options are available (some cars do have very limited options, but others have more) is still in the cards for most car shoppers.

      It is just the wireless, phone home control centers in cars that I don't want....hell, I'd actually prefer mechanical analog gauges....one less thing to break due to some electrical gremlin....

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    8. Re:The only fix... by gweilo8888 · · Score: 3, Informative

      Choosing your own color and options is still perfectly feasible. Choosing a car without the potential of a built-in ongoing revenue stream, sadly, is not. And that goes for both OnStar *and* Sirius, both of which I would personally prefer not to have in my next vehicle -- but short of choosing an awful econobox that I dislike in every way, forgoing those unwanted add-ons simply isn't possible any more.

    9. Re:The only fix... by bbelt16ag · · Score: 1

      rolling updates sound like a good idea. Software can no longer afford to be static. It needs to roll with the punches of exploits and support updates out in the field at a moments notice.

      --
      NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER GIVE UP! "No limitations, no boundaries, there is no reason for them."
    10. Re:The only fix... by mlts · · Score: 2

      The ironic thing is when I went with a friend of mine who was looking at a Ford, the Ford rep confirmed that nothing on the lot would work (and other dealerships didn't have the configuration needed), and offered to have it built to order from a spreadsheet with the list of options. The price was well under MSRP as well.

      I'd probably say the sales rep or the dealer was full of it, and just were wanting to move inventory as opposed to make sales.

      One trick I learned (as a rule of thumb) is to find more rural dealers, because dealers in a city core tend to be able to tell people to go pound sand, since there is always that person next in line. It also helps to go on a weekday.

    11. Re:The only fix... by Anonymous Coward · · Score: 1

      Absolutely! If an electric clock cannot withstand 10-15 years of use (one in my Honda, the other in my Toyota), I can't image the fun the electrical gremlins will have with an electronic dash. Will be interesting to see how many 'modern' cars can last 20-30 years and how the electronic dash fairs.

    12. Re:The only fix... by jandrese · · Score: 0

      It is built into the vehicle's radio antenna.

      --

      I read the internet for the articles.
    13. Re:The only fix... by Anonymous Coward · · Score: 0

      That's because most people don't care.

      If there was enough demand for simple unencumbered cars, someone would arise to fill that demand. As it stands, you are outvoted by the other buyers.

    14. Re:The only fix... by jandrese · · Score: 1

      Satellite Radio is pretty easy to avoid though. Just don't subscribe and leave your head unit in AM/FM mode. The only annoyance is having to cycle through the Satellite Radio input when switching between USB/CD/AM/FM modes. One whole extra button push. Worst case is that if you accidentally push the mode button one too many times you hear the canned "please buy our overpriced ClearChannel rebroadcast" message for a second and have to go around again.

      --

      I read the internet for the articles.
    15. Re:The only fix... by Anonymous Coward · · Score: 0

      Then you were told wrong. You can still factory order cars. The dealer probably wanted you to buy a car they already had on the lot rather than letting you get what you wanted.

      Remember that thanks to decades of lobbying and cronyism, dealers all are independently owned and operated - nothing to do with Ford, Hyundai, and etc apart from the loose dealer/manufacturer relationship that exists.

      With that said, GM won't let you order a car without OnStar unless you're a fleet/rental customer (fleets don't want them and have enough monetary clout to get what they want).

    16. Re:The only fix... by afidel · · Score: 1

      Wow, I didn't know there was a more stripped down head unit with Sirius than my Chrysler non-display unit. Even my el-baso model has separate buttons for SAT,AM/FM, CD, and BT/AUX

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    17. Re:The only fix... by Anonymous Coward · · Score: 0

      The only fix for the security problems with Onstar and any similar system is total removal of the hardware and software!!!!!

      Are there any good ways to disable OnStar and the Uconnect apps, and prevent them from communicating wirelessly at least?

      Disconnect the cellular antenna, and put a 50 ohm resistor across it.

    18. Re:The only fix... by jandrese · · Score: 1

      It has those too, but you have to take your eyes off of the road to use them, so people use the steering wheel buttons to choose the mode instead. The steering wheel only has the "next input" option.

      --

      I read the internet for the articles.
    19. Re:The only fix... by Ravaldy · · Score: 1

      The only fix for the security problems with Onstar and any similar system is total removal of the hardware and software!!!!!

      Although true, it's probably not what GM wants. The easiest way to fix while keeping the product alive this is to stop remote updates. It should be an active decision to update your car the same way it is for updating a NAS or SCSI controller firmware.

      In addition, there should be a disconnect between the entertainment system and the car's operating functions. I don't understand why the same computer needs to handle both work loads as they do not cross over in functionality or need.

    20. Re:The only fix... by afidel · · Score: 1

      With that said, GM won't let you order a car without OnStar unless you're a fleet/rental customer (fleets don't want them and have enough monetary clout to get what they want).

      Are you kidding, fleet purchasers LOVE OnStar unless they already have an alternative telematics provider that they use that can't tap into the OnStar system.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    21. Re:The only fix... by Anonymous Coward · · Score: 1

      I can give you some foresight, a family member has a 2003 truck with an electronic gremlin. The electronics think there is a problem with the engine even though there isn't so it kicks the throttle into an "emergency mode" once in a while that doesn't allow you many more RMPs than an idle, at least until you pull over and turn the key off for a few minutes. A month or so back things started to get real interesting, now it doesn't always recognize what gear you're in so the door locks will engage/disengage while you're going down the road and fail to unlock when you put it in park. They've replaced several of the electronics modules in the vehicle to no avail.

    22. Re:The only fix... by aaron4801 · · Score: 4, Informative

      I don't own a GM car, but it seems that at least some vehicles will have a separate fuse and/or control system for OnStar:
      3 ways to deactivate OnStar

    23. Re:The only fix... by gweilo8888 · · Score: 2

      Well, sure -- that's the only annoyance if you ignore the fact that you're being forced to pay to subsidize a feature you will never EVER use. I know for a fact I will never pay one cent to Sirius, because I'm not paying for a service which still rams commercials and paid product placements down my throat. However, I think we can both agree that Sirius, not being a charity, is most certainly not covering the entire added cost of the satellite radio-specific components that were added to the bill of materials for my new car and every other one in the natio -- I am, and you are too. We're not Sirius subscribers and never will be, but we're both effectively forced to pay them and their suppliers a lump sum every time we buy a new car.

      And that, ladies and gentlemen, is what really grinds my gears.

    24. Re:The only fix... by Anonymous Coward · · Score: 0

      Find the OnStar antenna, cut it off, ground it out.

    25. Re:The only fix... by Anonymous Coward · · Score: 0

      I thought it was an option. Don't buy that car!

    26. Re:The only fix... by HornWumpus · · Score: 1

      Insurance companies generally total any car older than 10 year who's airbags deploy. Which usually ends the car.

      Only going to get worse with 12 airbags. I'm betting a full airbag deploy on one of those 3 years old is 'totaled'.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    27. Re:The only fix... by LynnwoodRooster · · Score: 1

      I recently (5 months ago) bought a new Mustang. I went in, ordered the color and options I wanted, spec'd it out, haggled on the price - and 40 days later it showed up as I ordered, and my payments began. Pretty simple! Now, not all dealers want to do custom orders because they have inventory they want to clear - but you can order.

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    28. Re:The only fix... by Lumpy · · Score: 1

      You are incorrect, it is very simple to make 100% secure.

      you find the Onstar antenna wire, and remove it from the telemetrics module.

      Honestly in today's world only a fool wants onstar. you have a freaking cellphone in your hands, your infotainment system can use BT tethering to get any data. Why the car needs it's own connection is utterly insane.

      And yes, I know remote unlocking from the onstar service, sorry but if you lock your keys in the car on a regular basis, you deserve to have to pay for a new window replacement regularly.

      --
      Do not look at laser with remaining good eye.
    29. Re:The only fix... by Lumpy · · Score: 1

      This is why I buy BMW. I can request everything and even pick it up in Germany at the plant, drive it around the Ring a few times and then they will ship it to the USA for me for it to arrive when I arrive back in the states.

      Cadillac and Lincoln? they don't give a rats ass about the customer, and that is why they are both at the bottom of the heap for luxury car sales.

      --
      Do not look at laser with remaining good eye.
    30. Re:The only fix... by FlyHelicopters · · Score: 1

      Last time I went to buy a car (2010) I was told by two different dealerships (Hyundai and Ford) that requesting anything was no longer "a thing"

      Then you need to find a new dealership...

      When I ordered my 2015 GMC Yukon XL, I sat down with the dealership's order guy and we went through the order form on the computer together, picking out the exact options and order codes that I wanted. It was easy since I had already looked up online what I wanted and had that info with me.

      6 weeks later, the truck showed up at the dealership, just as ordered, and they sold it to me for the price we agreed on at the time I ordered it (about $750 below dealer invoice).

      It has been awhile since I've actually bought a car off a dealer lot, my last three vehicles were ordered. You can still do this.

    31. Re:The only fix... by FlyHelicopters · · Score: 1

      While there is some truth to that...

      There is also truth to the fact that building the same car, one with sat radio and one without, can actually cost more than just building them all with it...

      It costs money to change the configuration, to have different parts on hand, to have 2 build sheets in the factory...

      What does it really cost to add sat radio to a car? A few dollars? The radio itself is just a computer these days, that is software so the cost is developing the software, not installing it. Then you have an antenna, but you need that for GPS anyway. Oh sure, you might not want nav, fair enough... but I'm willing to bet a lot of those cars have the antenna installed anyway, because it is easier and cheaper to build them all one way, with a GPS antenna, than it is to have 2 build sheets.

      It is quite possible that there would be no effective price difference if they were forced to build a car without it, since they otherwise wouldn't build that configuration, so they have to add the cost of another build sheet to the production line, offsetting the $3 worth of parts needed to put sat nav in a car.

    32. Re:The only fix... by FlyHelicopters · · Score: 1

      Actually, that demand does exist...

      Look at a Nissan Versa:

      http://www.nissanusa.com/cars/...

      You can get that car for about $11k, or even less if you haggle well or they have rebates...

      For $11k, it doesn't have all those options that bother some people.

      So that market does exist, but what the OP above you wants is a middle ground car with just some nice features, but not others, and almost no one wants that, so no one builds it.

    33. Re:The only fix... by gweilo8888 · · Score: 1

      Untrue. Plenty of people want it, but it isn't offered because the manufacturer puts its own interests first. (And its own interests are hooking the gullible into providing an ongoing revenue stream, and having the rest of us pay for that too, so as to avoid having to stock two different options.)

      The only reason the Nissan Versa doesn't have those options is because it is being aimed at the entry-level market where price is the overriding criterion for most buyers. Here, it is in the manufacturer's interest not to include those options because they won't be used anyway (so there's no ongoing revenue stream potential) and if they drop the options, they increase their more slender profit margin on a base model.

      Your example has nothing to do with what customers *want*, and everything to do with manufacturer self-interest.

    34. Re:The only fix... by Qzukk · · Score: 1

      I mean, on both the Ford and Hyundai websites, you can select and build out any model of their car offerings you want

      Maybe its a Texas "Independent Dealer" thing. I just punched in my zipcode on the Hyundai website, selected a Sonata and built it out and at the end it gives me an "inventory search" button and tells me there's a dealer with that color and package 15.66 miles away. I picked a different Sonata in "lakeside blue" and got to the end and the inventory search told me there were none available and I should go talk to a local dealer to see if they could help me find a car (in the color I want, as long as I want black).

      Ford's website gives me the option to search for a nearby dealer or "get an internet price" at the end, no idea if the second option actually gets me the silver fiesta I put in to test it (it wants me to fill in a bunch of stuff so someone can contact me).

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    35. Re:The only fix... by gweilo8888 · · Score: 1

      Which doesn't even remotely change the fact that there is an added cost. Your argument is simply that you can't *remove* the part again to get the cost back -- to which I say that you're looking at the situation back to front. The features add cost; that cost should be borne solely by those who want the features. What you *meant* to say was that it would have been more expensive to add the feature to those cars where customers wanted it, rather than adding it to all of them -- and that's the correct way to say it because it retains the point that the cost should be borne by those who want the feature (ie. the Sirius users, or Sirius itself, in the case of satellite radio. And likewise for OnStar.)

    36. Re:The only fix... by FlyHelicopters · · Score: 1

      Ok, so you'd like your $3 back that sat radio added to the cost of your car?

      Fair enough, if you made that a condition of the sale, I'm sure the sales manager would take $3 out of his pocket and hand it to you to close the sale.

      You're leaping over dollars to pickup pennies, sat radio adds a trivial cost to the price of your car. That is why it has become all but standard in just about everything these days, other than $11k econoboxes.

    37. Re:The only fix... by FlyHelicopters · · Score: 1

      Untrue. Plenty of people want it, but it isn't offered because the manufacturer puts its own interests first.

      Citation needed...

      ---

      The irony is that you think GM is putting sat radio into cars because they don't want to sell cars. If GM thought they could sell more cars by keeping it out, they would.

      OnStar used to be a real cost and was offered only in more expensive vehicles and higher end trim lines. Now the cost is trivial and at some point becomes cheaper to just make standard equipment rather than an option.

      This is not unlike how air conditioning used to be optional, but is now standard because the cost of including it has dropped to the point where it is more trouble to build one car with it and one car without it. It is easier and cheaper to just build all cars with it. The same has become true of OnStar.

      (And its own interests are hooking the gullible into providing an ongoing revenue stream, and having the rest of us pay for that too, so as to avoid having to stock two different options.)

      Putting aside your issues with OnStar, stocking two different options isn't free. That costs real money. It is likely in 2015 that the cost of stocking vehicles with and without OnStar would exceed the cost of just putting it in everything.

      So the question is, are you ok to actually pay $50 more for a car without OnStar, than one with it, to offer you the choice? You might say yes, but I doubt very many people would. Most people would likely say, "sure, put it in if it is free, so long as I don't have to use it (and they don't)".

    38. Re:The only fix... by Anonymous+Brave+Guy · · Score: 1

      Most people would likely say, "sure, put it in if it is free, so long as I don't have to use it (and they don't)".

      It helps the car makers that the overwhelming majority of people have no idea how much their security and/or privacy are actually being compromised by these new systems.

      "Do you like our new advanced recovery system? It automatically calls for help and sends your location if someone crashes into your car, so it might save your child's life one day."

      "Thanks, that's great to know."

      vs.

      "Do you like our new advanced insecurity system? Because we're incompetent at software development, any punk with a $10 black market device can open your car while you're away and steal anything in it, or the next big terrorist attack could be someone with a laptop 25 miles away causing everyone with this model to accelerate to 100mph, so you and your children can be terrified for the last few seconds of your life before you die in a horrific collision.

      "ARE YOU F*?#ING CRAZY?"

      The reality, of course, is that these two scenarios are not at all mutually exclusive, and both are somewhat unlikely. However, most normal people who haven't worked in either the auto industry or the software industry are only thinking about one of them when they get the sales pitch.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    39. Re:The only fix... by Anonymous+Brave+Guy · · Score: 1

      Software can no longer afford to be static. It needs to roll with the punches of exploits and support updates out in the field at a moments notice.

      Or we could just, y'know, not connect every essential system in the universe to arbitrary remote devices, some of which will inevitably be compromised or otherwise hostile.

      Watching the train wreck we're calling the Internet of Things is like watching cloud computing all over again but ten times worse. It seems the manufacturers can't get enough of it because of the hype train and so most of their customers get on board as well, even though they don't really know whether there's anything in it for them or have any concept of the risks.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    40. Re:The only fix... by Anonymous Coward · · Score: 0

      My 2011 Equinox had that issue and the wiring into the transmission case was loose. Dealer fixed it under warranty after a few trips and a couple of WTFs.

    41. Re:The only fix... by Anonymous Coward · · Score: 0

      Remember to store the extra fuse in your sandblasting cabinet.

      http://www.wikihow.com/Deactivate-Onstar#/Image:Deactivate-Onstar-Step-9.jpg

    42. Re:The only fix... by FlyHelicopters · · Score: 1

      On the plus side, self-driving cars will require a level of software security that existing cars don't.

      You talk about accelerating to 100mph, but keep in mind the brakes always work, they are required to, and they are required to be able to overpower the engine.

      You can also always turn off the car, and if you have keyless, press and hold the button for 4 seconds, that kills the power (much like it does in your locked up computer).

      But a self-driving car? That needs some serious security.

    43. Re:The only fix... by Anonymous+Brave+Guy · · Score: 1

      You can also always turn off the car

      Unfortunately, in modern vehicles even that doesn't always work.

      These kinds of failsafe should be completely reliable, and it's crazy that they aren't, but it seems auto makers are just trying to be too clever with what they do in software and they sometimes get it wrong.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    44. Re:The only fix... by FlyHelicopters · · Score: 1

      Nothing in life is "completely reliable", but I get what you're saying.

      At least they are doing a recall and fixing it. :)

    45. Re:The only fix... by Anonymous Coward · · Score: 0

      I will grant that it has been several years since I've driven a GM fleet car before but for the years I drove them, our company always ordered them sans OnStar. Same thing with rental fleets and police fleets.

      I can't imagine that a fleet manager wants to pay OnStar for service unless GM has radically changed the way they market and price OnStar which may very well be the case. I know there is a lot more competition in the telematics space these days, so maybe GM has a more attractive offering with OnStar.

    46. Re:The only fix... by Anonymous Coward · · Score: 0

      Have you ever considered that there may be an actual legitimate issue with your car unrelated to the control modules? The fact that they've replaced various modules and haven't solved your issue would conclude that the age of the electronics in your car isn't an issue.

      As the poster below suggests, it could be something simple as a wiring problem. Apart from ancient cars that are 100% mechanical, every car has electronics in it and this could happen to any of them.

    47. Re:The only fix... by Anonymous Coward · · Score: 0

      That's really not good enough. If you're very close to a tower, you're going to get a signal in pretty much any condition. You need to remove power from the unit.

    48. Re:The only fix... by Anonymous Coward · · Score: 0

      Some people cut the antenna lead, which I think is shared with XM, though I haven't bothered looking into it carefully. You can't really rip the box out without (at least) disabling the radio, and probably worse.

      As I understand it, they still run Onstar over satellite links, so this is probably effective. They may have cut costs / moved to cellular by now, which probably makes it harder to find / disable the antenna.

    49. Re:The only fix... by Anonymous Coward · · Score: 0

      Also known as a "glovebox".

  2. Soo.. by the_skywise · · Score: 2

    Did it install Windows 10?

    1. Re:Soo.. by Anonymous Coward · · Score: 0

      The upgrade is free though! What more could you want? Free!!!

  3. That will never happen. by Anonymous Coward · · Score: 3, Insightful

    What you propose is at variance with how the market works.

    People will get upset every time an exploit is found. The vendor will give assurances that the problem has been fixed (whether it has or not), and business will proceed as usual.

    You can pound your fist and say it shouldn't be that way all you like. But it is that way. All you can really do is figure out the best way to adapt to it.

    Trying to control the world will only bring you stress.

    1. Re:That will never happen. by Anonymous Coward · · Score: 1

      So far it hasn't. However, if OnStar does get hacked, it might be something large enough to change the psyche of consumers here in the US.

      Doesn't take much. Hurricane starts to bear down on a coastal city. Evacuation starts. Bad guy logs on, disables one set of cars leaving. When those are starting to get towed, he disables another set of vehicles. Or he just kills all OnStar-linked vehicles and drops the network by purging some core router configs and changing uplink passwords. Now the hurricane is not just a disaster, but now a humanitarian catastrophe with many people stuck. Bad guy leaves his signature, and his/her organization now gets front page headlines for years.

      Already happened here in Austin. A car dealer had boxes wired in for customers who didn't pass credit checks which asked for a PIN weekly. No PIN, no start. Well, an ex-employee logged in using a valid employee's ID, disabled all vehicles and left them with horns honking.

      I personally am surprised that OnStar hasn't been hacked yet. It is just such a big, juicy target for any organization that is wanting to get their fifteen minutes of fame, as well as being able to know where a lot of people are, 24/7.

    2. Re:That will never happen. by Anonymous+Brave+Guy · · Score: 1

      The challenge here is that many people will continue to make this defeatist argument until something very, very bad happens, because most people are not good at evaluating the risk from rare but extremely damaging events. Regulators should be stepping in to control the world of the auto manufacturers until they get their house in order on this one, because unfortunately, unlike most of the security theatre we see in the modern world, mass casualties due to compromised auto software is actually a credible risk that we really shouldn't accept so casually.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    3. Re:That will never happen. by mlts · · Score: 1

      The problem is that nobody gives a rat's ass until people wind up dying on a massive scale, as in the hundreds to thousands. Even hacking a jetliner isn't going to do the trick because people are starting to get used to them being dropped out of the sky.

      The biggest issue is the perception that "security has no ROI", combined with "the hackers can get us no matter what we do". Both are BS. If one looks at physical security, even the liquor store in the no-man's-land neighborhood has more than adequate physical security to keep the booze inside after business hours. Physical security is good enough to keep unauthorized people out of a ton of places. Not 100%, but adequate. If PHBs did the same about physical security as they do about network security, we would see a thin rope around the data center door handles instead of card readers, with the PHBs whining to Congress that anyone determined could get inside no matter how think a rope they used, and showing how a dopehead loaded on Valkyr off the street was able to tear server racks off the floor.

    4. Re:That will never happen. by Anonymous+Brave+Guy · · Score: 1

      The problem is that nobody gives a rat's ass until people wind up dying on a massive scale, as in the hundreds to thousands.

      Isn't the real problem that in this case that might actually happen? A few posters right here in this discussion have already described some very nasty scenarios that could have that kind of result, and the necessary proofs of concept have already been demonstrated, which is why we're having today's discussion in the first place.

      All too literally, the only thing protecting us from this kind of attack right now is the blessing that there aren't yet very many people in the world with all of the knowledge, the resources and the desire to hurt a lot of people by doing it.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    5. Re:That will never happen. by the_B0fh · · Score: 1

      Oh no! More regulations? Are you a communist?!?! Bwahahaha

    6. Re:That will never happen. by mlts · · Score: 1

      Pretty much. We have enough good people out there that act as goalie, preventing a lot of disasters. However, this is only a matter of time before we get an attack that is a perfect storm where the good guys were not able to stop it.

      In the past, we have had two groups: People who had the will do do harm, and would do anything to do it, and people who had the way and knowledge to do harm... but who were not into hurting people as their primary reason of existing. However, as things change, we are starting to see this change. The Middle East is starting to rise as a source for constant cyberattacks, and as time goes on, we will start seeing parties with not just the ability to do damage, but the will, either to gain their organization "street cred", or for a political statement.

      It is actually astounding that we have not had a disaster happen yet. Every terrorist group down to the gangbanger who is looking to earn cred for full "soldier" status with his droogies is chomping at the bit to be able to pull something like this off.

    7. Re:That will never happen. by Anonymous Coward · · Score: 0

      Trying to control the world will only bring you stress.

      Jeez, I thought it just turned you into RMS.

  4. The update also included by JustAnotherOldGuy · · Score: 0

    Not touched upon in the story is that the update also included a stealth download of systemd.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  5. Crapware by Anonymous Coward · · Score: 0

    Whack-A-Mole is fun when your life is on the line!

  6. alternative updates are available. by nimbius · · Score: 3, Funny

    As I graduated last year and assumed my engineering role at mcdonalds (ketchup extrusion/mustard analytics) I became aware of this 2010 exploit and, in keeping with slashdots hacker culture, created my own workaround in case my vehicle were to make the list of coveted hackable hardware.

    my 2001 crown victoria police interceptor has been modified slightly to emit a protective haze of burnt oil to stealthfully evade hackers. Whats more, the suspension has been recalibrated to bob and duck at the slightest bump, and shake violently at speeds above 40 miles per hour in an attempt to elude hackers signals. Finally, I use crippling student debt technology to ensure that flipping on my dome light and barking orders to OnStar does virtually nothing to the vehicle. For added protection, you can put the car into 'stealth mode' if you have an arts degree by avoiding oil changes and fuel in exchange for more ramen this month.

    --
    Good people go to bed earlier.
    1. Re:alternative updates are available. by AntronArgaiv · · Score: 1

      my 2001 crown victoria police interceptor has been modified slightly to emit a protective haze of burnt oil to stealthfully evade hackers. Whats more, the suspension has been recalibrated to bob and duck at the slightest bump, and shake violently at speeds above 40 miles per hour in an attempt to elude hackers signals. Finally, I use crippling student debt technology to ensure that flipping on my dome light and barking orders to OnStar does virtually nothing to the vehicle. For added protection, you can put the car into 'stealth mode' if you have an arts degree by avoiding oil changes and fuel in exchange for more ramen this month.

      Does the cigarette lighter work?

    2. Re:alternative updates are available. by AndyKron · · Score: 1

      Does the haze contain metallic particles to enhance RF blocking?

  7. Glacial speed of fixing critical bugs by sinij · · Score: 2

    This glacial speed of fixing critical bugs demonstrates that automotive industry cannot be trusted with networking anything.

    1. Re:Glacial speed of fixing critical bugs by AndyKron · · Score: 1

      Can any company be trusted?

    2. Re:Glacial speed of fixing critical bugs by sinij · · Score: 1

      Can any company be trusted?

      No, but how likely is your compromised smart TV is going to be used to kill you?

    3. Re:Glacial speed of fixing critical bugs by Lumpy · · Score: 2

      Quite high.

      Kiddie calls a SWAT on your home.
      Kiddie makes your smart TV switch to a video of a violent scene that matches the call and turns the volume up to 90%.

      Swat team kills you, see's it 's just the TV, then kills your family and dog out of spite.

      --
      Do not look at laser with remaining good eye.
  8. GM Uses the Exploit to Push the Update by Anonymous Coward · · Score: 1

    "Created a remote update capability" by exploiting the very same bug.

  9. This is not reassuring by beschra · · Score: 5, Interesting

    From GM chief product cybersecurity officer Jeff Massimilla:

    “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”

    They hacked it so they could hack it. I'm glad GM has my back.

    --
    It is unwise to ascribe motive
    1. Re:This is not reassuring by beschra · · Score: 2

      Missed the most important quote somehow:

      “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”

      --
      It is unwise to ascribe motive
    2. Re:This is not reassuring by gstoddart · · Score: 2

      And without authorization from the owner of the car, or notification it was being done.

      So, violation of the computer fraud and abuse act?

      Sure sounds like hacking to me. Oh, but it's a corporation, so it's OK.

      --
      Lost at C:>. Found at C.
  10. "secretly started pushing updates" by Nutria · · Score: 1

    That's pretty laden with strong, negative emotional connotations. What's the justification?

    Why not just read it as they started quietly pushing updates?

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re:"secretly started pushing updates" by beschra · · Score: 1

      Quietly: suggests caution, or even wisdom, due to security and safety concerns
      Secretly: suggests a pure profit motive. Avoid scaring people so they keep buying our cars

      The full story is probably a mix of the two.

      --
      It is unwise to ascribe motive
    2. Re:"secretly started pushing updates" by Nutria · · Score: 1

      Nutria's corollary to Hanlon's Razor: never ascribe to malice what can adequately be ascribed to bureaucracy.

      IOW, they certainly wondered why they needed to send out millions of post cards (which is how auto companies communicate with their users) when just fixing the problem is so much simpler.

      --
      "I don't know, therefore Aliens" Wafflebox1
    3. Re:"secretly started pushing updates" by Anonymous Coward · · Score: 0

      That's pretty laden with strong, negative emotional connotations. What's the justification?

      Why not just read it as they started quietly pushing updates?

      Because their original system was not supposed to be able to push updates. That's actually what the original hack was... a way to push software updates onto anyone's OnStar enabled vehicle.
      So GM then used that security hole, to push a new software package, which now DOES support remotely pushing updates.

      And the justification for "secretly" hinges on the phrase "push updates". As in, whether you want it or not they will update your car, and do it without telling you they're doing it. Pretty much the definition of "secret", so that's why the word was used.

  11. Who needs it? by digitalPhant0m · · Score: 1

    I didn't know stealth was an available upgrade, not sure how I'd use it accept to avoid speeding tickets.... Oh wait....

  12. Really? by nnull · · Score: 2

    I'm getting sick and tired of this. The stuff that so many engineers and technical people have been touting for so many years is happening right before our eyes. I'm still waiting for the phone armageddon which is already happening with so many phones being hacked (Even your old phone won't help you here with the baseband exploits). Pretty soon we'll be tossing all our phones in the garbage.

    These people touting the exploits end up getting laughed out of IEEE conferences by manufacturers and their butt buddies, that's how bad it is.

    Until the industry decides to take things seriously, nothing is going to change.

  13. Bullshit on the secret updates by AndyKron · · Score: 1

    Secretly pushing updates is absolute BULLSHIT

  14. How does a consumer test for the vulnerability? by ShaunC · · Score: 4, Interesting

    As someone who drives a GM car that came with an OnStar antenna, a rearview mirror full of OnStar buttons, and an OnStar free trial... How do I determine whether or not my car is vulnerable? Whether it received the patch? Which generation of OnStar my car has?

    I haven't had anything to do with OnStar since I was driving down the interstate and suddenly received a loud and unexpected phone call from a fucking OnStar telemarketer. My trial, which came with the car and which I hadn't used, was about to expire, so they decided to make a sales call. To my car. While I was driving. Out of nowhere, the car muted the radio, made some very loud dinging noises, and started blasting an unknown woman's voice over the stereo system while I was driving down the highway. She's asking me if I want to sign up for OnStar at such and such monthly rate. I have never been so distracted by anything while behind the wheel of a car, and vowed never to use any OnStar service again.

    I'd just like to know whether or not the OnStar in my car, which I had hoped was disabled after not paying for it, will attempt to kill me again.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    1. Re:How does a consumer test for the vulnerability? by sinij · · Score: 1

      It is still there, vulnerabilities and all, and they are still using it to collect information about you.

    2. Re:How does a consumer test for the vulnerability? by sjames · · Score: 1

      You will need to pull the fuse or disconnect the communication module. Otherwise, it is still vulnerable to hacking and/or (probably) a FISA rubber stamp.

    3. Re:How does a consumer test for the vulnerability? by Lumpy · · Score: 1

      all of them have problems, disconnect the onstar antenna from the module and stop worrying.

      --
      Do not look at laser with remaining good eye.
  15. How does a consumer react to privacy invasion ? by Anonymous Coward · · Score: 0

    NEVER respond to calls from people you don't know, let them talk... to voicemail.
    Especially sales calls.
    NEVER talk, let alone clearly in your normal voice, until you know who they are and what they want.
    Otherwise they will voiceprint you and add your voice to their database and sell your voice along with it.

    Take back your privacy...
    https://mcafee16.com/

  16. Still broken. by Lumpy · · Score: 1

    Onstar is easily compromised vial MTM attack and has been for 2 decades now. They need to give it decent encryption and allow the car owners to set passwords/pin numbers in the car system themselves that the car will ignore all communication attempts without it.

    --
    Do not look at laser with remaining good eye.
  17. Now GM is adding WiFi just imagine the problems by Anonymous Coward · · Score: 0

    I will never have anything to do with Onstar or any vehicle supported Wifi system. Your just asking for trouble and its why Wifi in aircraft is supposed to be separated from airplane electronics. In most of the automotive wifi its just too tied to the vehicle systems. Run away from that stuff. Much better options that work better.

  18. How would NSA track us? by Anonymous Coward · · Score: 0

    Think of all the terror if they didn't have logs of our every moment to and from work and lunch each day?

  19. Why "the same computer" does so much in cars by Anonymous+Brave+Guy · · Score: 1

    I don't understand why the same computer needs to handle both work loads as they do not cross over in functionality or need.

    There is a half-truth here.

    The underlying problem is that a lot of the electronic systems within most modern cars probably communicate using an insecure channel. The systems were designed with the assumption that the other devices on the same bus were trustworthy. And of course, they typically were, before remote access came along.

    Today that assumption no longer holds, but a lot of systems that seem unrelated do actually have genuine reasons to interact to some degree. For example, consider a modern system that will call the emergency services in the event of a crash, which is obviously a beneficial feature other than in contrived situations. However, that system needs to know whether a crash has occurred, and how is it going to do that? It needs access to some sort of sensor, but by its nature that same sensor is probably also used by some of the other modern systems that provide collision avoidance/mitigation features. Bang, now you've a link between a system that has remote communication capabilities and a system that has a need for direct control of essential vehicle systems.

    One possible solution to this is to have proper internal firewalls so that trust is only given where it's actually necessary, and it can also be a one-way relationship. However, this simply isn't possible with the current generation of bus-based designs that a lot of these modern vehicles use. So, the car companies don't want to acknowledge the problem because that would potentially increase their liability if anything later goes horribly wrong. Since they can't ship a software update to fix the numerous potentially at-risk vehicles they already sold, nor retrofit more secure infrastructure in a financially viable way, there would be nothing they could do to control that risk.

    The result is the three wise monkeys calling the shots, and unfortunately the commercial incentives are likely to keep it that way until either serious laws with meaningful penalties are passed or something awful happens.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    1. Re:Why "the same computer" does so much in cars by Ravaldy · · Score: 1

      I agree with everything you said except that it doesn't explain the connection between the systems

      However, that system needs to know whether a crash has occurred, and how is it going to do that? It needs access to some sort of sensor, but by its nature that same sensor is probably also used by some of the other modern systems that provide collision avoidance/mitigation features. Bang, now you've a link between a system that has remote communication capabilities and a system that has a need for direct control of essential vehicle systems.

      This is a problem that is easily solved by providing read only access to sensor data. There is no reason for the external communication systems to allow write operations of any sort.

    2. Re:Why "the same computer" does so much in cars by Anonymous+Brave+Guy · · Score: 1

      This is a problem that is easily solved by providing read only access to sensor data. There is no reason for the external communication systems to allow write operations of any sort.

      Absolutely true, but unfortunately a lot of cars shipping today have a CAN bus architecture that can't make that distinction, and the components communicating via the bus aren't set up with the necessary security in mind either. That's a large part of the problem here.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.