Slashdot Mirror

← Back to Stories (view on slashdot.org)

GM Performs Stealth Update To Fix Security Bug In OnStar

Posted by timothy on from the just-trust-us dept.

An anonymous reader writes: Back in 2010, long before the Jeep Cherokee thing, some university researchers demonstrated remote car takeover via cellular (old story here). A new Wired article reveals that this was actually a complete exploit of the OnStar system (and was the same one used in that 60 Minutes car hacking episode last year). Moreover, these cars stayed vulnerable for years -- until 2014, when GM created a remote update capability and secretly started pushing updates to all the affected cars.

10 of 91 comments (clear)

  1. The only fix... by Anonymous Coward · · Score: 5, Insightful

    The only fix for the security problems with Onstar and any similar system is total removal of the hardware and software!!!!!

    1. Re:The only fix... by cayenne8 · · Score: 3, Interesting

      The only fix for the security problems with Onstar and any similar system is total removal of the hardware and software!!!!!

      Or at least the car manufacturers should give the purchaser the OPTION on whether to have this hardware/software installed or not.

      It used to be an "option"...why did it become now a standard fixture. Sadly it seems these systems are so integrated now, you can't keep the car functioning without them.

      It should be a modular thing that you can request to have or not have....

      Are there any good ways to disable OnStar and the Uconnect apps, and prevent them from communicating wirelessly at least?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    2. Re:The only fix... by Archangel+Michael · · Score: 3

      OnStar is GM's version of ongoing revenue stream from previous customers.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    3. Re:The only fix... by cayenne8 · · Score: 3, Informative

      Last time I went to buy a car (2010) I was told by two different dealerships (Hyundai and Ford) that requesting anything was no longer "a thing" (though I could buy an aftermarket radio upgrade at full price plus installation and no, they won't deduct the cost of the basic radio from the car). You can't even ask for them to get a car in a certain color (in my case, silver, not some freaky special order limited edition "burnt yellow ice" or whatever). You can buy what they've got on their lot or you can take your money and shove off. Ended up buying a Honda (they had a silver car in stock, so I don't know if they'd have stonewalled me as well).

      Wow..that's strange. I mean, on both the Ford and Hyundai websites, you can select and build out any model of their car offerings you want.....

      I know they want to sell you one from stock, but as far as I know, choosing your car model, color and whatever options are available (some cars do have very limited options, but others have more) is still in the cards for most car shoppers.

      It is just the wireless, phone home control centers in cars that I don't want....hell, I'd actually prefer mechanical analog gauges....one less thing to break due to some electrical gremlin....

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    4. Re:The only fix... by gweilo8888 · · Score: 3, Informative

      Choosing your own color and options is still perfectly feasible. Choosing a car without the potential of a built-in ongoing revenue stream, sadly, is not. And that goes for both OnStar *and* Sirius, both of which I would personally prefer not to have in my next vehicle -- but short of choosing an awful econobox that I dislike in every way, forgoing those unwanted add-ons simply isn't possible any more.

    5. Re:The only fix... by aaron4801 · · Score: 4, Informative

      I don't own a GM car, but it seems that at least some vehicles will have a separate fuse and/or control system for OnStar:
      3 ways to deactivate OnStar

  2. That will never happen. by Anonymous Coward · · Score: 3, Insightful

    What you propose is at variance with how the market works.

    People will get upset every time an exploit is found. The vendor will give assurances that the problem has been fixed (whether it has or not), and business will proceed as usual.

    You can pound your fist and say it shouldn't be that way all you like. But it is that way. All you can really do is figure out the best way to adapt to it.

    Trying to control the world will only bring you stress.

  3. alternative updates are available. by nimbius · · Score: 3, Funny

    As I graduated last year and assumed my engineering role at mcdonalds (ketchup extrusion/mustard analytics) I became aware of this 2010 exploit and, in keeping with slashdots hacker culture, created my own workaround in case my vehicle were to make the list of coveted hackable hardware.

    my 2001 crown victoria police interceptor has been modified slightly to emit a protective haze of burnt oil to stealthfully evade hackers. Whats more, the suspension has been recalibrated to bob and duck at the slightest bump, and shake violently at speeds above 40 miles per hour in an attempt to elude hackers signals. Finally, I use crippling student debt technology to ensure that flipping on my dome light and barking orders to OnStar does virtually nothing to the vehicle. For added protection, you can put the car into 'stealth mode' if you have an arts degree by avoiding oil changes and fuel in exchange for more ramen this month.

    --
    Good people go to bed earlier.
  4. This is not reassuring by beschra · · Score: 5, Interesting

    From GM chief product cybersecurity officer Jeff Massimilla:

    “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”

    They hacked it so they could hack it. I'm glad GM has my back.

    --
    It is unwise to ascribe motive
  5. How does a consumer test for the vulnerability? by ShaunC · · Score: 4, Interesting

    As someone who drives a GM car that came with an OnStar antenna, a rearview mirror full of OnStar buttons, and an OnStar free trial... How do I determine whether or not my car is vulnerable? Whether it received the patch? Which generation of OnStar my car has?

    I haven't had anything to do with OnStar since I was driving down the interstate and suddenly received a loud and unexpected phone call from a fucking OnStar telemarketer. My trial, which came with the car and which I hadn't used, was about to expire, so they decided to make a sales call. To my car. While I was driving. Out of nowhere, the car muted the radio, made some very loud dinging noises, and started blasting an unknown woman's voice over the stereo system while I was driving down the highway. She's asking me if I want to sign up for OnStar at such and such monthly rate. I have never been so distracted by anything while behind the wheel of a car, and vowed never to use any OnStar service again.

    I'd just like to know whether or not the OnStar in my car, which I had hoped was disabled after not paying for it, will attempt to kill me again.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!