[ardyzl1]

I'm a retired IT systems admin. I wrote and debugged large scale internal applications for a well known three letter company. I am not a security expert, but I know about some of the basics.

I stumbled upon this article on Bruce Schneier's Blog. Bruce Schneier is one of the world's foremost IT security experts.
Remote Vulnerabilities in Automobiles

https://www.schneier.com/page/2/


He links to this article by some other security experts.

https://samcurry.net/web-hackers-vs-the-auto-industry/

This is pretty serious stuff. The good news is that GM is not mentioned in the article. The bad news is that GM and all other auto manufacturers are vulnerable to all the same hacks because they all use the same type of systems.

If you are not a computer security expert you probably won't understand much of it, and I don't understand all of it myself either. But what it means is that there are a whole bunch of ways to access your car remotely, and hackers can do it as well as unscrupulous dealers, repair shops, OnStar, auto makers, and their employees. In fact good hackers can probably do more than authorized personnel, simply because hackers understand the technology better than most authorized employees.

I don't know what the solution is, but I would guess that we really need to be using two factor authentication and go back to physical keys to lock and unlock things. Combined, this becomes three factor authentication, and even that may not be totally secure. Hackers are very clever guys.

One thing that really disturbs me is the use of the infotainment system to control non-entertainment aspects of the car. At this time there really isn't a whole lot you can do about it because everything is interconnected. That's a big security no-no. Any time you allow remote access, you have an attack vector that can't be easily closed.

I think we should all start thinking about security and perhaps find some way of letting GM know that it IS important to customers. The auto makers simply provide what customers want, and when it comes to computer security, it's a lot easier to make the system work than to make it work securely. And a lot cheaper too.

Complex systems are incredibly difficult to develop and bugs are inevitable. Just fixing the bugs is so overwhelming that security is often left behind, especially because good security makes debugging even harder, and secure code is just that much more stuff to debug.

I for one will not use SiriusXM but I don't think you can just disconnect these cars from their manufacturer without disabling functionality. I could be wrong though.

Any IT security guys out there have any thoughts or suggestions?

[Wyzz Kydd]

It looks like GM vehicles are vulnerable through both SiriusXM and OnStar, which is a part of Spireon, prominently mentioned in the article.

[FlukeSS]

Quote:

Originally Posted by ardyzl1

I'm a retired IT systems admin. I wrote and debugged large scale internal applications for a well known three letter company. I am not a security expert, but I know about some of the basics.

I stumbled upon this article on Bruce Schneier's Blog. Bruce Schneier is one of the world's foremost IT security experts.
Remote Vulnerabilities in Automobiles

https://www.schneier.com/page/2/


He links to this article by some other security experts.

https://samcurry.net/web-hackers-vs-the-auto-industry/

This is pretty serious stuff. The good news is that GM is not mentioned in the article. The bad news is that GM and all other auto manufacturers are vulnerable to all the same hacks because they all use the same type of systems.

If you are not a computer security expert you probably won't understand much of it, and I don't understand all of it myself either. But what it means is that there are a whole bunch of ways to access your car remotely, and hackers can do it as well as unscrupulous dealers, repair shops, OnStar, auto makers, and their employees. In fact good hackers can probably do more than authorized personnel, simply because hackers understand the technology better than most authorized employees.

I don't know what the solution is, but I would guess that we really need to be using two factor authentication and go back to physical keys to lock and unlock things. Combined, this becomes three factor authentication, and even that may not be totally secure. Hackers are very clever guys.

One thing that really disturbs me is the use of the infotainment system to control non-entertainment aspects of the car. At this time there really isn't a whole lot you can do about it because everything is interconnected. That's a big security no-no. Any time you allow remote access, you have an attack vector that can't be easily closed.

I think we should all start thinking about security and perhaps find some way of letting GM know that it IS important to customers. The auto makers simply provide what customers want, and when it comes to computer security, it's a lot easier to make the system work than to make it work securely. And a lot cheaper too.

Complex systems are incredibly difficult to develop and bugs are inevitable. Just fixing the bugs is so overwhelming that security is often left behind, especially because good security makes debugging even harder, and secure code is just that much more stuff to debug.

I for one will not use SiriusXM but I don't think you can just disconnect these cars from their manufacturer without disabling functionality. I could be wrong though.

Any IT security guys out there have any thoughts or suggestions?

Food for thought as it relates to the topic:

Teslas can be remotely connected to at any time by Tesla, even changing the tuning of your vehicle remotely if you were to say... Upgrade a battery turning the vehicle into an S90, when it was actually an S50/60 from the factory.

There was one story where Tesla tuned the vehicle back to S50/S60 even though it had an upgraded battery. Which effectively removed the actual range the vehicle could get. I believe there was a law suit about it as well.

[jamala00]

If it can be accessed via the internet it can be hacked.

[90503]

The trend is to subscribe and pay the mfr to hack your car for a fee...lol

[Odabo]

Thanks ardyzl1 for posting the article that exposes automative cybersecurity vulnerabilities. This article points out nearly every auto manufacturer is affected in some way. It is puzzling to me the level of indifference exhibited by some of the companies in the article, especially when the impact from hacker activity could result in loss of life and at best denying a vehicle owner access to their own vehicle. I'm no cybersecurity expert but I have over 25 years of software engineering experience along and mechanical reliability engineering and I've witnessed it myself how companies will not implement common sense security measures in products unless mandated by their customers or in order to win a new government contract. Sadly, companies believe it is more costly to implement security measures because they cannot charge extra for them. All the while foolishly believing that should a breech occur the end user will be responsible not the company that makes the software. Another area that sometimes contributes to vulnerability is using open source products and 3rd party libraries, but the user (in this case the auto manufacturers) have an obligation to ensure those produces do not create exposures. (Open source community is generally very good about identifying and fixing holes).

We all get tired of increased government regulation but I believe laws need to be updated to reflect today's modern reality which is vehicles and products in general are more internet connected than before. I also believe vehicle owners should have the means to disconnect their car from the internet if they choose. I can only imagine the uproar that would ensue if a famous celebrity's car was hacked and it plunged off the cliff. Everyone would point to the hacker as the problem forgetting the fact that it was the auto manufacturer that enabled the incident to occur. Just like a celebrity, us common folk need to feel safe driving to church, the store, or your child's sporting event. Everyone needs to take cybersecurity seriously, including auto manufacturers.

[JTS]

So to start , get rid of OnStar (which I unsubscribed) and cancel SiriusXM?

[ardyzl1]

I happen to know that if a large company does business with U.S. government, they ARE in fact vetted for cyber security. And some companies do take their security more seriously than others. I suspect GM is among the "good guys" if there is such a thing because they have LOTS of government contracts. Probably Chrysler and Ford too. But nobody is perfect.

Also, every laptop has a camera in the middle of the top bezel of the lid. I keep a piece of tape on mine. And some smart TVs also have a camera, usually in that same location, ostensibly to watch eye movements so they can track if you are watching commercials. I'm the kind of guy that has duct tape all over my cell phone, and my TV too. There are several thousand companies buying and selling personal information, You've never heard of most of them. The main thing that saves us from spyware is that the amount of data collected is so enormous that only AI software can analyze it. There ain't no guys huddled around screens in undergound buildings poking though your dossier, there's just too much data wade through.

When hackers do get their script kits, they aren't likely to be worried about you personally, What they might do is unlock your car so somebody can drive it away while you are inside the the movie theater or whatever. These cars are very desirable so I don't think they want to damage or hurt for fun, they want to make a buck. My main paranoid fear is walking out of the store to find an empty parking stall where my car used to be.

[tlr3715]

Don’t think unsubscribing from OnStar and satellite radio will protect you. Vehicles can still get updates without those. You would have to disable the satellite and Wi-Fi antennas. Not sure if that would cause issues with the legitimate software already installed though.

[JTS]

Sad to hear that this can happen, but not surprised . It maybe worth switching to HAGERTY, and pay double for an Agreed Value policy. Agreed Value never Depreciates. Go about my business enjoy the car , and if something happens ,I am reimbursed MSRP .

[Jus Cruisin]

Shoot, with my current F150, Ford can't even access the truck most of the time to push ota updates. I don't lose sleep over it.

[NZ ZL1]

Quote:

Originally Posted by Wyzz Kydd

It looks like GM vehicles are vulnerable through both SiriusXM and OnStar, which is a part of Spireon, prominently mentioned in the article.

Good thing that OnStar doesn't work down here, as there's no satellites

[Matt1LE]

If OnStar can disable your vehicle via a signal, you don't own the software on GM cars (GM won that case, 2014?), and local governments want to charge you miles driven per region driven; your car can be hacked. Period



The only real solution is manually disconnect your satellite antenna. Of course this would now lead to other issues.

[GroundhogSS]

I thought that XM was receive only but maybe that's not true. I do remember when the 6th Gen first came out, several people posted how to disconnect the Onstar module from the car. I think the module is behind the glove box somewhere.