OnStar Redux
Back on October 12, 2007, we posted a piece Should OnStar Shut Your Car Down? on this blog. Well, lo and behold, the New York Times just reported this past Friday that,
"Automobiles, which will be increasingly connected to the Internet in the near future, could be vulnerable to hackers just as computers are now, two teams of computer scientists are warning in a paper to be presented next week." (See Cars’ Computer Systems Called at Risk to Hackers by John Markoff, May 14, 2010, web version May 13, 2010.)
The two groups found that, "they were able to remotely control braking and other functions," and "the car industry was running the risk of repeating the security mistakes of the PC industry" (before PCs became widely networked and there were relatively few security incidents).
The stuff they could do was really scary,
"We demonstrate(ed) the ability to adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.”
Can you imagine what it would be like to be in a car traveling at high speed while being subjected to such an attack?
And what would happen when you had to answer to the cops if you somehow survived? Well, the researchers
"also demonstrated what they described as 'composite attacks' that showed their ability to insert malicious software and then erase any evidence of tampering after a crash"
Oh boy! Things look bad. But how could a malicious hacker get access to your car's electronics when your car is not connected to the internet? Well, the Times article pointed out that, "Wireless connections are increasingly becoming available in a wide range of automobiles," and it singled out "services like the OnStar system from General Motors (which) now report(s) vehicle position and diagnostic information to the manufacturer."
In our original OnStar post, we asked for legitimate security researchers "to try to hack into OnStar (and other systems) just to find out how easy or hard it is to do."
The good news is that security researchers have started to do just that. The bad news is that it turns out to be easy to do. Toyota and GM and other automobile manufacturers, TAKE NOTICE.
The researchers report is Experimental Security Analysis of a Modern Automobile, and will be presented at a computer security conference this week in Oakland California.
The opinions expressed in this post are those of the author and should not be interpreted as an official position of The Julie Group.
--Chip Neville