The Year Of The Car Hack? GM Onstar, VW, Audi and Many Others

August 18, 2015 mitch tanenbaum Leave a comment

GM Says that they have fixed the vulnerability that allowed a hacker to take over the GM Onstar Remotelink software. Once the hacker has taken over the software, she can do anything the owner can do – remote unlock, remote start, etc. The attack worked because GM was not validating the SSL certificates used by the app. The researcher says not only does it still work but he has extended the attack to work on BMW Remote, Mercedes-Benz mbrace, Chrysler’s Uconnect and Viper SmartStart.

The researcher only tested his attack on iPhones, but I suspect the same technique will work on Android phones too.

The challenge here, of course, is designing mobile software securely. While you may not like it if your mobile game leaks your name or age, you really won’t like it if your mobile apps gets your car stolen. Banking apps figured this out a long time ago. I guess automakers have to learn it all over again.

Now, on to VW.

Bloomberg is reporting that VW has been fighting security researchers for two years because they want to release a paper on a security vulnerability that they found the remote keyless entry system. The vulnerability affects not only VW, but also Fiat, Audi, Ferrari, Porsche and Maserati. VW has finally given in and the paper will be published with very minor redactions.

The rub is that the only fix is to replace both the keys and the controller inside the car. Given that this likely affects millions of cars and VW would have to pay for all of these car manufacturers to recall these cars, VW would like this to go away.

Pretending security flaws don’t exist is kind of common and unless security researchers are allowed to continue exposing them, the only people who will know about the flaws are the bad guys. There are some proposed U.S. laws that would make this research illegal. Those in the know have been fighting against this, but it is a continuing battle.

Would you prefer that security researchers operate in public, tell companies and product owners that they are vulnerable and allow the vulnerabilities to get fixed. Or, would you prefer they operate in the shadows and sell their exploits to organized crime? How much do you think a car theft ring would pay for an exploit that allows them to own a high end Audi or BMW in less than 60 seconds? I assume that would be worth tens of millions.

The London police say that 42% of stolen vehicles is done via hacking the keyless entry systems. That’s pretty amazing.

As I keep saying – convenience or security, pick one.

On the other hand, it doesn’t mean that you cannot make technology bullet resistant (notice I didn’t say bullet proof), but it takes some work.

I am not sure why, but this year seems to be the year of the car hack. They year is not over yet, so stay tuned.

Information for this post came from SCMagazine and Bloomberg.