I'm a retired IT systems admin. I wrote and debugged large scale internal applications for a well known three letter company. I am not a security expert, but I know about some of the basics.
I stumbled upon this article on Bruce Schneier's Blog. Bruce Schneier is one of the world's foremost IT security experts.
Remote Vulnerabilities in Automobiles
https://www.schneier.com/page/2/
He links to this article by some other security experts.
https://samcurry.net/web-hackers-vs-the-auto-industry/
This is pretty serious stuff. The good news is that GM is not mentioned in the article. The bad news is that GM and all other auto manufacturers are vulnerable to all the same hacks because they all use the same type of systems.
If you are not a computer security expert you probably won't understand much of it, and I don't understand all of it myself either. But what it means is that there are a whole bunch of ways to access your car remotely, and hackers can do it as well as unscrupulous dealers, repair shops, OnStar, auto makers, and their employees. In fact good hackers can probably do more than authorized personnel, simply because hackers understand the technology better than most authorized employees.
I don't know what the solution is, but I would guess that we really need to be using two factor authentication and go back to physical keys to lock and unlock things. Combined, this becomes three factor authentication, and even that may not be totally secure. Hackers are very clever guys.
One thing that really disturbs me is the use of the infotainment system to control non-entertainment aspects of the car. At this time there really isn't a whole lot you can do about it because everything is interconnected. That's a big security no-no. Any time you allow remote access, you have an attack vector that can't be easily closed.
I think we should all start thinking about security and perhaps find some way of letting GM know that it IS important to customers. The auto makers simply provide what customers want, and when it comes to computer security, it's a lot easier to make the system work than to make it work securely. And a lot cheaper too.
Complex systems are incredibly difficult to develop and bugs are inevitable. Just fixing the bugs is so overwhelming that security is often left behind, especially because good security makes debugging even harder, and secure code is just that much more stuff to debug.
I for one will not use SiriusXM but I don't think you can just disconnect these cars from their manufacturer without disabling functionality. I could be wrong though.
Any IT security guys out there have any thoughts or suggestions?