Hacker News new | past | comments | ask | show | jobs | submit login
Hacker shows he can locate, unlock and remote start GM vehicles (computerworld.com)
211 points by henrik_w on Aug 5, 2015 | hide | past | favorite | 175 comments

OnStar sent this email out on July 31st:

  Thank you for being a loyal OnStar customer. We're happy to have you as part
  of the OnStar family and appreciate the confidence you have in us.

  We are writing to inform you that we have recently made a security update to 
  your OnStar RemoteLink mobile app. As a result, the current version of the 
  app you have on your Apple device will no longer be functional and you 
  will need to update to the most recent version.

  Click here to download the Remote Link app.

  We hope that you will continue to use OnStar services and experience all 
  that OnStar has to offer. OnStar advisors are ready and available 24/7 
  to assist you.

  Terry M. Inch
  OnStar, Chief Operating Officer

I would never ever want to be in a car which acceleration can be controlled remotely via Internet, even in theory.

Modern cars run on CANbus. Everything is linked. No, seriously, everything: steering (at low speeds, the park assist can be exploited), brakes, lights, radio, a/c.

You'd have to go back at least ten years to find cars without it.

Then "modern cars" can never be considered safe, and whomever the professional engineers are that signed off on that design have some explaining to do. "market forces" or "following my boss's orders" are not valid excuses; a professional engineer has a duty to ignore such things when considering safety.

I suspect whole auto industry needs to re-learn (if they ever learned in the first place) the lesson of the Therac-25 and what "fail safe" means. Some dangerous situations should not be possible.

Unfortunately, I suspect the auto industry will choose to learn those lessons the hard way. When people die from someone messing with their steering or brakes remotely, I hope whomever signed off the idea of mixing remote signalling with critical systems is found personally liable for manslaughter.

Does the software industry even have a requirement for professional licensure? If not, then there is no "professional engineer" that signed off on the design and there is no regulatory liability and hence no questions to answer by the engineer.

This is one of big problems with the software industry nowadays. It has a role to play in nearly every major industry but does not have the same regulatory hoops to jump through to get into that industry. In this case, I am sure multiple mechanical and electrical licensed professional engineers had to stamp all of the physical components that make up the vehicle but I would be very surprised if any software was ever signed off on by a licensed professional engineer explicitly (there is a case to be made for implied acceptance by the engineer of record for the system that the software runs on but I think it is weak).

At least in the US, it is entirely plausible that many of the electrical engineers working in a large company on such a product are not licensed professional engineers.

There are no cars on the road that have brake lines that are tamper proof, so I'm not sure you are setting the bar at the correct level.

It will be interesting to watch the ongoing situation with Chrysler:


If the class action goes forward there will be a legal examination of whether a security flaw that allows remote tampering is a safety defect or not (of course it is, but I mean in the context of liability).

are you arguing the difference in the ease with which digital information can be altered compared to physical reality is a negligible difference?

I'm pointing out that shipping imperfect software has not yet been determined to be negligence.

I pretty much expect that automakers will quickly start shipping systems with effective segregation (the cost pretty clearly doesn't outweigh the PR downside), so the interesting question really is whether the cars on the road today represent negligence or not.

And how would OnStar remotely disable your vehicle or slow it down if it wasn't connected to the network.


I hope they get this sorted before self driving cars... (50 bitcoin in 20 minutes or your car takes a drive off the pier...)

That's really the problem...just like feds wanting backdoors that "only they" can access, Onstar thought it was clever and could grant itself powers in software that no one would be able to exploit. Too bad the people who are best at exploiting software aren't likely to work for companies like Onstar (I'm not saying Onstar is disreputable, just probably boring and with a low skill ceiling).

> 50 bitcoin in 20 minutes or your car takes a drive off the pier

I would NOT like to think about what would happen to someone who tried this sort of thing. I expect within seconds of the first accident (or worse, injury, even fatality) causing malware being discovered, the resources of the entire NSA would be being used to track down the author. Then, when found, 'bad day' would not begin to describe the rest of their life. In fact, I can see this sort of thing being validly placed under 'terrorism' and dealt with appropriately.

People who randomly attack vehicles being driven around today (brick thrown off bridge over a busy road into windscreen et al) are not the smartest, or have poor self control or other issues, but they are actually quite rare. To pull off an automated hack would require enough intelligence that they can surely understand the consequences. Therefore, this will be done by a genuine psychopath (or sociopath? never quite sure of the terminology) or terrorist group.

I think we should be as worried about vehicular-malware-based-death as we are about dying from other terrorist attacks. So yes, I know that means the risk is small, but the general public will over estimate it, and worry inappropriately. That seems to be a matter of education, not technology, though...

It's true, and it's the whole basis for CAN networks. The whole car runs without a central computer, but rather, a set of microcontrollers for all of the different functions of the car. Every single microcontroller, more or less, broadcasts messages to all of the other ones along the bus. I'd say you'd probably have to go back even further than 10 years as the latest CAN spec, 2.0, was published in 1991.

But every microcontroller on the network doesn't have to listen to messages from the others.

The real problem is that the designers of CANBUS never dreamed of a day when rogue nodes could show up on the network and start broadcasting messages they should not be broadcasting. Automotive embedded systems were closed loops and, aside from perhaps a diagnostic tool in the garage while parked, not susceptible to spoofing messages.

I wouldn't even blame the designers of CAN-bus. The crazy thing is that GM/Chrysler allow media devices and general computers on the CAN-bus without a firewall.

It's easy to say that the architecture is flawed, but that's no excuse at all. The CAN-bus allows control of the car, so non-control devices should not be allowed to send control messages on the CAN-bus.

It's the same as blaming the insecure architecture of the internet when your password gets snooped, when you should have just used a secure tunnel.

The CAN-bus allows control of the car, so non-control devices should not be allowed to send control messages on the CAN-bus.

Unfortunately CAN is not as complex as an IP packet. It's essentially a one-wire serial bus with collision detection. Even RS-232 lets you clip the TX line so that a device could listen but not send. You would need to clip the TX before the CAN transceiver, and that's something nobody typically does.

I'm suggesting there would be a hardware device that sits between any device and the CAN-bus. It would simply decode incoming messages, and filter not allowed messages, recode the rest and put them on the bus. I bet you could program an Arduino Nano to do this (as an illustration that it's a fix that shouldn't require more than a few dollars, obviously it'd have to be rugged, robust and reliable for GM/Chrysler to do it).

The simplest method is to encode an authentication scheme using digital signatures for each device in the bus, and burn an approved transmitter list into each device such that specific messages have to be signed by a specific MCUs authentication key or it is ignored. Then simply don't add internet-connected hardware to the approved senders list for any high-risk messages. You can then compromise the car at will but none of the other CAN devices will process acceleration messages unless you happen to own an internet-connected accelerator.

Digital signatures are (a) not simple --- the cost and complexity of implementing and verifying them might be as bad as that of switching to a different phy/mac and (b) particularly tricky to do in microcontroller parts.

Some controllers already do some similar things, more like shared secrets though. It's common in the brakes. There is some sequence of commands that have to be sent first otherwise later commands will be ignored. The problem is that 1) you can wire in a scope and watch 2) just try every possibility or 3) use the diagnostic/test messages instead that accomplish the same without all of that.

There are devices like this in use, i worked with automotive and we used a device like this to attach certified third party factory installed add-ons, they also translated vendor specific quirks in the protocol so that both sides would understand each other better. In essence the third party was kindof trusted but to be on the safe side we firewalled them to only allow a list of white listed commands, more like an API. Not having this kind of barrier for internet attached devices is inexcusable.

Maybe I don't understand the difficulty. This is a standard services problem that standard software architecture practices would solve. You just need a gateway sitting in front of the CAN bus and any externally exposed services must go through the gateway. Only "safe" services or commands are exposed in this case. Maybe an entire service here, maybe a specific info command to an essential driving service there. The gateway inspects all incoming requests from these external services. All internal commands continue talking through the bus directly. Problem solved.

Yes, a gateway is a common solution. Or having two busses (one for engine control and the second for aux functions like HVAC, radio, lighting etc) with a system to pass critical messages between the two.

But it's cheaper to use a single bus and just slap everything on there. Or in the case of something like OnStar, realize you can add extra capabilities through firmware and not fully think about the impact when your radio can send unfiltered messages to your ECM.

You do have that gateway, it's likely the radio too. That thing has the most complicated and feature-full code of anything in the car and humans make mistakes when writing even simple software.

Linked but not linked to the internet by default :)

The worst thing is, people can hack your car through your 'entertainment system' on your car. I don't even want to know how such a system exists, why my radio has access to brakes?

What I don't understand is why are there no regulations that require the control system to be completely separate.

Maybe because even the Government didn't think anyone was so stupid?

Because people cry communism or incompetency every time the government tries to write forward-looking rules in matters affecting commercial interests. So politicians can only act retrospectively, once shit has hit the fan.

Who exactly would write these forward-looking regulations? Who is competent enough to foresee years in the future what car manufacturers might want to do, and then imagine how that might go wrong, and then regulate it? Any why would (indeed, should) these people not work for the auto industry, applying these competences in actually developing these new technologies?

And who checks these people's work? How do we make sure they don't risk outlawing ABS and ESP before they're invented?

For a relevant case study, compare and contrast with how heavy regulation, also plenty of forward-looking stuff, totally failed to predict or prevent the financial crash.

The, there's the issue of how the industry would actually adhere to these speculative regulations. You'd have plausibly millions of pages of regulation to evaluate every new development against. In practise, this means the lawyers are running the show. Just like in the banks.

Also, before your righteous anger gets the better of you, let's remember that nobody has actually been hurt due to these problems yet, except of course the manufacturer who must issue extreme expensive recalls. In the meantime, Toyota built cars with a gas pedal that stuck - this issue actually killed people. It was a purely mechanical problem - would these hypothetical forward-looking regulators have caught that issue?

Finally, I'm not one to throw around words like "communism" where they don't apply, and communists certainly didn't and don't care one bit for consumer safety or comfort - but severe overconfidence in the ability of government to plan, predict and prevent things is a central problem with communism.

I would suggest someone else should keep his own righteous anger in check, considering he replied to a simple quip with a comment that is eight times as long.

I won't even bother to fight your strawmen (the financial crash could not be helped by better laws, really?), tbh it's just boring. You are right, why have laws at all? Car manufacturers are so enlightened, they obviously work for the greater good rather than simple profit, I apologize for my stupid remark.

Have a good day.

Passive-aggressive much? Sometimes a simple quip requires a long response to accurately address multiple potential issues. In speaking about forward-looking government regulation, bringing up how forward-looking government regulation failed in other cases is pretty relevant. And never was the idea mentioned that these things should not be governed at all, which is you throwing out a strawman. Simply that the nature of modern regulation is to restrict possible outcomes, and that also has negative externalities. "Good" advancements can be just as restricted as "bad" advancements, and it's extremely difficult to tell the difference years or even decades before they happen.

> Sometimes a simple quip requires a long response to accurately address multiple potential issues.

Not sprayed with gratuitous ad-hominems, not really.

> bringing up how forward-looking government regulation failed in other cases is pretty relevant.

I struggled to consider it relevant, considering how it's widely accepted that reduction in regulation is one of the main causes of the recent financial crash. Forward-looking regulation was there and was removed. I think that particular example doesn't make the point he thinks it makes.

> And never was the idea mentioned that these things should not be governed at all

It was basically inferred. If you take his points to the logical conclusions, there is no point in regulating the car industry, they hire the best minds so they will know what to do.

> "Good" advancements can be just as restricted as "bad" advancements

Of course; but it's extremely difficult to prove whether the advantages of outlawing both outweigh the advantages of allowing both. So we came up with this rule that "we legislate only after shit happens". Is it crazy to think this arrangement could be sub-optimal, and there might be a better compromise?

Because your quip shows an astonishing amount of deference to an often incompetent and power hungry government. At least I can choose my vehicle.

The fan is looking quite brown and sticky right now ...

Regulations generally arise retroactively, as a response to demonstrated bad behavior or information learned in accident investigations.

I get that. But how much forward thinking does it take? Back in the 80's or early 90's when "Drive by wire" was the buzzword and old timers were saying they'd never drive a car that didn't have physical linkages, how much forward thinking would it have taken for regulators to say controls system circuitry needs to be completely isolated from other systems in the car? Something like this would still apply today and maybe we wouldn't be seeing these issues.

> how much forward thinking would it have taken

a lot. You can start by looking up if any of these old timers raised anything remotely similar to that concern. Remember how insanely unprotected the Internet was in the beginning? How SMTP basically still is? That was build by some of the smartest people in the world, and they didn't have the foresight to predict that there might be adversaries, and thus build (in retrospect, quite simple) protections in.

Also, those old timers were wrong about drive by wire, there is zero evidence that it's any less safe than physical linkages.

One of the reasons it would have been extremely difficult to predict, is that the phenomenon of consumer devices having a general purpose computer (and that this might be connected to the rest of the car), much less one networked in any sense, as its interface is pretty new.

[edit: added analogy to the internet]

>a lot.

I guarantee you that engineers warned PM's about this kind of thing from the start.

>Also, those old timers were wrong about drive by wire, there is zero evidence that it's any less safe than physical linkages.

Let's distinguish drive-by-wire from FADEC (or what amounts to a poor-version of FADEC). An electronic throttle is fine. An electronic throttle that cannot be overridden by a casual user not. It's the implementation that's problematic.

And still, we are switching the Eurofighter from a CANBUS with seperate microcontrollers to a single central microprocessor design.

> controls system circuitry needs to be completely isolated from other systems in the car

What would they define 'other systems' as? Back then carphones were pretty new, and the height of technology, and a car 'computer' was a trip mileage counter and mpg calculator. Amy definition would either be rooted in the technology of the time, and therefore not handle new breakthroughs and inventions, or be so vague as to be unenforceable, I suspect. They would have to be pretty far forward thinking to have envisaged high bandwidth Internet connections or wireless data links, as inputs to the car systems, let alone the amount of compute power that is now routine in vehicles.

The sorts of things that are going to enforce safety here are going to be produced by the car industry engineering standards bodies eventually, but it will take time. Many of the concepts, like CAN-bus firewalls, data diodes and filters are already present in high-assurance avionics networks and (post STUXNET) in process control systems. Note that it took STUXNET for people to realise that vulnerability, now the industry is working on solutions, but so far no power stations or chemical plants have exploded. We are in the same place with vehicle security now.

We are a cheap and short-sighted people.

because canbus.

It wasn't a bad design for the 1990s - it's a bad design for now, however.

Why is canbus a bad design? As long as you don't allow untrusted data onto it there is nothing wrong. Physical access exploits are quite irrelevant imo.

These are security issues, it's not by design. We will see more issues like this one and they _are_ bad, but this would be the least of my worries. There is no money in exploiting these bugs and even so-called script kiddies will probably not want to risk killing anyone. There are real risks, like buggy software in your ECUs wich can be deadly without any Internet connection.

It is partly by design since the ECU is physically connected to the infotainment system for diagnostics / user configuration. If ever there was an example of when systems should be airgapped, this should be one of them.

ECU's have no business being integrated into infotainment systems. It's fine to have a physical wire that can be connected for diagnostics, but don't have then permanently connected by default. Just don't.

edit: just read the article (doh for commenting before reading) and this attack is different from the previous ones. This one uses a feature that was built into the cars purposely for unlocking the vehicle and controlling the engine. That feature seems monumentally dumb from the outset - and very much implemented by design.

> There is no money in exploiting these bugs

- Murder for hire. - Killing political opponents. - Another country could use it to kill our leaders.

I'm looking forward to self-driving cards but my only real fear is a bug being used to kill people in the manner I just described.

I'm not afraid of being killed because someone hates me, I'm afraid of being killed because a 12 year old with a laptop may not have a fully developed moral sense of right and wrong.

I'm not afraid of being killed either. I'm mostly worried about politicians and powers that be killing others to stay in power. It's much easier to keep your hands clean as a government hacker than as a government hit-man.

Even if the hardware is secure against a script kiddie hacker, it'll never be secure against a government backdoor.

Imagine the power that someone like Nixon would have as president today. It's scary.

"When the president does something, that means that it is not illegal" https://www.youtube.com/watch?v=tYdJqSG3K6c

I fully expect a new genre of prank videos to emerge. Self-driving cars with cameras make for perfect targets. Innocent people will be involuntary passengers for a Grand Theft Auto style rampage that is livestreamed for the world to see.

Really? Do you imagine the only thing stopping people from trying to kill random strangers is the fact they currently have to get up out of bed to do it? Because it can't be the fear of getting caught, since the perpetrators of any vehicular malware that kills people will be caught...

If the fear of getting caught prevented people from committing crimes, jails would be empty.

Exactly, so according to the people worried about killer malware, the only thing stopping our population of latent murdering sociopaths is the fact that it's currently too much physical effort to go and sabotage some sandom vehicle? As I said, this seems unlikely to me...

On the bright side, these cars can now be used as an open platform for developing open source driverless car software. You can even use the stereo to run the control software. (I'm only being slightly flippant)

You're replying to the wrong post. That should have been to my parent commenter.

You're right. Thankfully, I had a quote to give some context to what I was trying to rebut. It'd be great if a mod could change the location of the reply.

It is by design, it must be.

There is the acceleration module, then there is a wireless networking me dule, and there is a physical wire connecting them.

Very shitty, very dangerous design.

More like, there is this acceleration module and there is this pedal that must hook into it, and there is this handy bus going through the car that you can connect the two systems to in order to make them talk with each other.

And then you add a radio, and a knob under the steering wheel to control it, and think - hey, I have this handy bus I can reuse so that they talk with each other. And suddenly, your radio talks to your brakes.

I don't think it's malicious design. More likely stupid one, or just a result of people being used to treating car hardware as trusted environment - where obsessing over security is just a waste of resources. It's just that when you introduce an Internet-connected device to that environment, it's not trusted anymore.

I'd still argue that anyone who connects radio, travel computer or air condition systems (non-critical, not real time) with breaking, acceleration and external lightning systems (mission-critical, realtime, potentially lethal) is maliciously stupid.

In almost all cars there are in fact two CAN buses - a high speed, low security bus that connects the radio to the entertainment system and so on, and a low-speed, high security (in terms of components, not actual security) but that connects the brakes to the ECU and so forth.

The issue is that frequently systems like OnStar sit on both buses, because they are used for things like engine diagnostics. If you investigate you'll notice that every single one of these car hacking attacks starts somewhere, pivots to an OnStar like system, then can control the car.

Doesn't really make your point less true, but fits perfectly in the features over security mindset.

Two CAN buses is a quite low number. Last system i saw, which was pretty old, had at least half a dozen from what i could tell from my end of the system, probably even more internally inside or behind other components. Modern cars also use flexray, LIN, MOST and all other kinds of buses. The reason for this is safety, bandwidth and that the delay jitter on a highly loaded can bus can be relatively unpredictable for high frequency control requirements like suspension, traction and other engine related control.

Or there is always the chance of management overriding building a separate system due to higher costs. The gains in safety did not justify the costs to them.

Don't contribute to malice what could be explained by stupidity. Don't contribute to stupidity what could be explained by greed.

Add to that the fact that some cars, like a Mercedes C-Class I rented recently, allow you to change the 'agility' setting from the entertainment screen (changing throttle response, steering and suspension).

There is a common bus, and there are reasons for it existing, but the fault is with an internet-connected module being able to break out of its role. Fixing that is the traditional game of whac-a-mole that we have in IT every day, at least until a secure-by-design Bus 2 comes along.

> There is no money in exploiting these bugs and even so-called script kiddies will probably not want to risk killing anyone.

I'm sure plenty of international "agencies" would pay very good money to be able to exploit these bugs. Gotta take out somebody driving a GM car? No sweat!

> There is no money in exploiting these bugs

There's such an obvious way to make money on them I'm surprised it isn't happening yet - if you have a zero-day for a car, just make a deal with your lawyer friend, that you'll crash some poor schmuck's car and your friend will help the victim sue car manufacturer for $shitton, which you'll split between the two of you.

There is no money in swatting either, but yet it's becoming a growing problem for popular streamers (and police departments).

There may be no money in exploiting these bugs, but it's bugs like these that make a police state even closer to possible... if these bugs aren't found and squashed, they can and will be exploited by anyone who decides they need to coerce and control whatever they need to. One more tool for to be used against... whoever.

If this kind of exploit could be exploited en masse it could wreak huge economic havoc in addition to the life safety issues. Even if the attackers were warm and fuzzy types and they only took control of cars that were stationary. Forgetting about the safety problems for a moment it's kind of amusing to imagine thousands of logo-turtle-cars ambling around parking lots, clogging up traffic, making unprotected left-turns, etc.

Hahaha @ Logo Turtle... that brought back memories long since suppressed/forgotten from back in primary school

You don't think "Send bitcoin to this address or your daughter's car will suffer an unexpected malfunction" will be a thing?

What about the NSA, CIA, Russia, China or drug cartels. Do you think they will want to "risk" killing anyone like this?

Actually, that is not really a car hack.

He intercepted the communication from the app. So it is an app hack like we have seen numerous times. It my be different, but it sound like cookie stealing what was possible with the Facebook app and the Instagram app. Then with those credentials you can do all those things that you are supposed to do like if you where the legit user.

All those functions are functions supposed to be done by the app. So there is no hacking on the car side done. The interesting piece of information would be: can that be used to actually hack the car?

Having purchased an internet connected Hyundai (via their BlueLink service)... I've been curious whether I can access the vehicle directly through it's internet connection.

So far, sniffing the packets from the iOS BlueLink app, it appears to broker requests through a service by Covisint [http://www.covisint.com/]. From there, I cannot figure out how the vehicle communicates to receive these messages.

The payloads between iOS and Covisint contain tons of information about the vehicle, but nothing that exposes the communications between the vehicle and BlueLink or Covisint.

The vehicle has the ability to connect to Wifi... I will prod at that next. :)

  From there, I cannot figure out how the vehicle
  communicates to receive these messages.
Prediction: 3G/4G, with specific settings on the SIM giving it access to a private APN.

And, if you're lucky, it's connecting to a private IP network.

The Chrysler hack was possible because the cars' built-in cell connection [i]wasn't[/i] connecting to a private network; the cars were unfirewalled and accessible to anything else that happened to be on Sprint's cellular data network.

I am a volt owner and have the app mentioned in the article...

It appears that the hacker can gain access to whatever the phone app is capable of... which is not THAT much really. You can absolutely start and stop the car but you need the key fob to actually drive the car and I don't believe you can stop it when it is actually being driven.

There is no speed or braking controls in the app. You can unlock/lock, start/stop and trigger the alarm.

In addition the the device must be near the car and the user must be using the app.

I am glad they are patching this, but it's really not on par with prior vulnerabilities as far as I can tell.

If I recall, there was an article a few years ago about OnStar helping the cops turn off a car that had been stolen.

Turning off a car while you are driving it is a big deal.

The official GM OnStar app exposes certain do-it-yourself features to the phone user, such as remote start, lock/unlock, and "I forgot where I parked" alerting. These are the same functions that often appear on key fob buttons.

OnStar is capable of performing more functions, such as locating the car when it is out of sight/sound range, slowing down the engine, locking down the ignition, and performing remote diagnostics.

I couldn't confirm this by reading the article, but it might be possible that the protocols and APIs used by the app could be hacked to perform OnStar functions that were not intended for use through the app.

So if the app sends OnStarApp( REMOTE_UNLOCK, VEHICLE_ID, APP_AUTH_KEY ), someone might try skimming the authentication credentials, and then send OnStarApp( STOLEN_ENGINE_SLOWDOWN, VEHICLE_ID, APP_AUTH_KEY ).

In GM's mind, the app is trusted software, so any message that looks like it came from the app must have been requested by the owner, through the app. And since the app can only send "safe" commands, like those performed by a radio key fob, OnStar can simply execute whatever command the app message requests without checking it. That would be the same way the CANbus works. If a valid message appears on the bus, addressed to your microcontroller, you act on it as though it were genuine.

They aren't software developers. They're automotive engineers. The design goals are different. In their world, Eve never listens to other people's conversations, cosmic rays never flip bits in memory, and no one outside the company will ever understand your car better than your own engineers.

But there are people out there who will try to figure out if they can pop the trunk release using any component of the car except the trunk release button. Hackers do that kind of thing for fun. And, in doing so, they may find out that not only can they do that, but they can also do things like shut off the engine with a maliciously malformed digital radio station signal.

Then they connect a handheld yagi to their laptop, broadcast the signal at a friend's car, and tell them to hit the "scan" button on their radio while idling in their driveway. Then it hits 88.1-3, a recording of "I'm sorry Dave, I'm afraid I can't do that" plays over the car speakers, and then the engine shuts off. It is a source of great amusement, until the "Oh, shit" thought occurs: "We did this for giggles. Someone else could do the same thing to murder people."

Then they contact the auto manufacturers, who don't do much about it. Then they present it to DefCon, and talk to the media. And we still don't have an acceptable solution. Certain models of car are potentially vulnerable to attacks that we can demonstrate in controlled tests, and which are possibly occurring in the wild in a way that cannot be easily detected.

Admittedly I have no idea whether that is true via the app... but if so, then yes... it's a bigger issue.

I'm curious - what happens to these cars (not specifically GM's, just these "smartcars" in general) when you disable/disconnect/destroy the (presumably) SIM card or whatever it uses to connect to cell data?

Another question you should ask is How difficult is it to disable OnStar? The answer: Quite difficult.

OnStar's module is in deeply embedded inside the car and in different locations in different models. OnStar is tied into the vehicle diagnostics and electrical system. If you manage to find it, and pull its cables out or something straightforward like that, your car will probably report an engine error and not start. (This issue has been reported and discussed extensively in car hacking forums.)

I asked my local GM dealer--a very large dealer, by the way--about disabling OnStar permanently (at the hardware level). They told me (a) they don't know how to do it, (b) I'm the first person to ever ask about it, (c) they think it might void the warranty (I don't know if they are right or wrong), and (d) they're unwilling to do it.

I pulled the module from under the back seat of my '07 3 months ago with no deleterious effects noted. I assume without a brain and no antennae hooked up it is disabled. However, I have assumed wrong before.

Yeah, I was wondering about that as well (hence "if possible at all"[1]) since I intend to buy a GM vehicle this year (maybe, money is hard), but I guess OnStar isn't very relevant in Europe.

[1] Edit: Which is something I wanted to use in the sentence, but now I see I didn't. This is not a good day for me.

GM would go after you and your dealer for a DMCA vilolation.

Sadly, I'm not even being sarcastic.

You aren't being sarcastic, but instead are simply making things up.

GM dealers are all supposed to know how to disable OnStar, and indeed it is usually actually quite easy for an end user to do, with no negative impact on the vehicle. I have a 2010 Traverse and disconnected the OnStar module and antennas with no negative impact outside of OnStar -- it is in an easily accessed compartment near the back of the vehicle.

Some dealerships simply never deal with this, though, just as they are supposed to know how to disable the passenger side airbag but many have no clue and act incredulous. It just isn't that common.

GM doesn't widely share the information on disabling it because ostensibly a purpose of the system is theft recovery -- that if your car is stolen they can track it, which becomes less achievable if every thief just pulls a fuse or something. Nonetheless the information is out there and easy to find.

Why is it you as the owner of the car cannot disable something inside your car that doesnt relate to your ability to be transported.... that IS being targeted with the DMCA.

Who said you can't? Again, there is a simple little box with a wire connector that you can easily disconnect. I did exactly that. Fear mongering about how everything will start failing is not backed by reality.

GM is joining John Deere in this fight


If this thing is related at all, it's about not "hacking" the OnStar.

That has nothing at all to do with OnStar. GM wants to control the ECM, which has very much to do with your ability to be transported. Are you going for the shotgun approach?

Probably the same thing that happens when you enter an area without cell reception, which is that the "smart" features stop working.

Oh.... I didn't think of the fact that the cars need to be fully operational in those areas as well. Dumb question >.>

Probably nothing? OnStar is an optional service. It's not required for your car to run.

The article says that Kamkar intercepts the connection from a user's phone. Wouldn't that either imply this only works for phones on weak 2/3g connections or that the hack is much more impressive in that 4g/lte connections can be intercepted?

Possibly 2G attack. Hardware visible in the video is fairly ordinary

    - Raspberry Pi
    - RTL8187L USB 2.0 WiFi module  
    - Adafruit FONA mini GSM/GPRS module[0]. Not LTE capable.
[0] https://learn.adafruit.com/adafruit-fona-mini-gsm-gprs-cellu...

This FONA thing is pretty cool, I've been wondering how you could (simply) create an SMS-based service.

A cheap Android phone might be easier.

Jamming LTE to force a switch to 3G is possible.

It does imply this was in some part a TLS fail. Either none or failing to verify trust..

I don't think the hack involves the cellular data connection, and it would be a very different hack if it did.

To clarify, the OnStar system in your vehicle talks to a data center at GM or wherever. When you use the app, it talks to that data center, and if you have an authenticated, actived session, the data center intermediates commands from the app to the vehicle.

This looks and smells like an entirely standard MITM type attack. He runs a rogue WAP, or listens in on low encryption APs, and when someone uses the app it exploits some weakness in the SSL/TLS process of the app (maybe DNS poisoning coupled with an app that doesn't demand a root signed cert from the peer). That can be fixed immediately and really is remarkably limited in utility and threat.

Imagine this: smart kid creates app that let horns of multiple cars in parking lot honk like in a symphony. Even more fun: someone walks over that parking lot, and you follow them with honks from different cars. Man, I would love to see that!

The sci-fi movie version of hackers in the future, who can bend everything around them to their will, is perhaps not so far fetched. Instead of future hackers being really good at it, maybe the vendors that build everything are just incompetent.

And we don't even have fully autonomous cars on the street yet. That's when the real fun will begin.

Why would a car be online at all, especially when parked? What is the benefit to consumer?

* In the winter, you can start the car's heat while you're inside so it's warmed up when you get in.

* In the summer, you can start the car's a/c so it's cooled down when you get in.

* Send the address I just looked up in Google Maps to the car's navigation system, so I don't have to re-type it when I get in, I can just start driving.

* I drive an electric car, and also check battery level from inside so I'm sure I have enough range to get to my destination, and can tell the car to start charging remotely, or schedule charging windows in advance.

I find all of these internet-enabled features useful.

Fun fact: The first two use cases are actually illegal in Germany. You may not run the motor or any in-car appliances while the car is not moving, and you may not move the car if it is not desperately necessary (yes, taking the car to visit your neighbor 20m away is actually illegal)

I agree that hey are useful. However, I do not think "having a warm seat" is worth connecting your car to an unsafe network.

heat/ac/overall status/engine start have been a feature on car remotes for 10 years now, although they do get hacked all the time, too

as for Maps, that might be a point, but why not use the phone for nav, normally you don't need to type as voice recognition is good enough

One of the thing they advertised about OnStar is it detects when your car is in crash. Then they (OnStar) can remotely talk to you and dispatch help. There is a button you can push to talk to someone and get help manually.

I think it does stolen vehicle tracking too.

In this day when everyone has a cell phone (versus the late 90s when Onstar first showed up), its less useful than before but if your car goes over a cliff, you are knocked out and none sees it, it could be helpful.

Why this needs to be connected to the driving functions of your car is another issue..(they'd claim "diagnostics").


OnStar provides all sorts of nifty things. Lock your keys in the car? OnStar can unlock your doors.

are you telling me that I can call some number and if I'm persuasive enough, they will unlock your car remotely and maybe even start the engine? Nice feature

Yes, and it rules. So does using the app to start my car on a cold day when I had to park a few blocks away. Convenience always trumps security.

As demonstrated by Justin Long [https://www.youtube.com/watch?v=hVxjQTHLDEY&t=1m41s].

tbere was some good product placement of this feature in die hard 3

The remote start function appeared the in fourth movie, Live Free or Die Hard with the plot revolving around a "fire sale" cyber attack. Die Hard 3 features Sam Jackson and the theft of gold under cover of binary fluid bombs.

My bad - thanks

It is even a part of a plot for some action movie (can't remember which movie though). The cars can be unlocked with social engineering skills.

One of the Die Hards with Bruce Willis and a hacker kiddo exactly that

And then what? You can't actually do anything with the car without the keys. Steal the goods in it? Well most thieves just smash a window rather than relying upon social engineering, presuming that even worked.

OnStar started as a data connection for diagnostics and emergency services -- it reports back various diagnostic details, and gives your location and accident details in a serious event. Once they had the cellular data connection they added utility for things like lock out assistance and remote start, and locating your car (e.g. in a big parking lot).

Smashing a window draws attention, social engineering when done right does not until it's way too late... certainly nobody watching in the parking lot would think twice about a guy on a cellphone getting into "his" car. They would however think twice and may perhaps even alert authorities or take your picture if they saw you smashing a window to get into what's quite probably someone else's car.

So instead you make a traceable call to OnStar, before which you will have amassed all of the personal details to somehow socially engineer them into letting you into the vehicle (not just their names and personal details, but the system also has a code you have to tell them).

This is one of those hysterical overreaches that has no correlation with real world crime at all.

Be that as it may, security breaches occur in complex and presumed safe systems every day - look at how a social engineer used data found from one system (Amazon) to exploit another (Apple) to get further information and cause users havoc last year. Both systems were presumed to have safeguards that kept intruders out. When humans are part of the security equation, in my experience, all bets are off.

In this case, it may (or may not) be a hysterical over-reach, only time will really tell.

I am not sure if you are joking or not, I wouldn't want my car to be opened without keys. Especially after such news

You wouldn't want to be able to open your car door if you lock your keys in it, without needing to worry about whether or not the locksmith is going to mess up your door?

It's a matter of good idea, bad implementation. They push for features, they push for ideas, they push for new, new, new, better, better, better.

But no one thinks about safety and security until something like this happens.

no, I wouldn't. exactly because of f*uckups like these, that always come with features for lazy or stupid. if I ever, ever be forced to buy such pathetic excuse for a car, first thing I'll do is find sim card and burn it. next will be wi-fi module. heck, I'll even pay some garage to turn it off forever.

I am software engineer and that's why I don't want anybody messing up with crucial systems. It's so easy to break things, there were quite a few reports about horrible quality assurance processes in car manufacturers... just NO. I buy car, and I'll be happy with v1.0 of firmware, no updates, thank you

I would use the spare key. Maybe it is me but I don't trust my phone with my car.

Have you accidentally locked a baby in the car in temperatures exceeding 90 or 100 degrees? Judging by the amount of times I hear this on the news, I can show you a whole market of people that find this useful. Calling a locksmith or someone that can break into your car takes time as well as being concerned about potential cosmetic damage. If OnStar can open your car remotely with a single phone call inside of a minute to save a helpless child from being cooked, there's your market. "Will someone please think of the children..."

OnStart opening your care remotely requires more things in the car than preventing the car from locking if the key is inside in the first place would. By the way, I can't lock my car if the key is inside, and the car doesn't have a remote opening feature.

It should not be possible to lock the keys inside the car since you use the keys from the outside to lock it.

On my (2009, no power locks) car, I manually toggle the lock after opening the door and close it. Locked. I did lock myself out of a 2009 car with power locks though, but only because I was borrowing it and no one knew the combo for the keypad.

Buuuuut... we're talking about OnStar remote access, so that's not very applicable. :)

I have never been in a car you can't lock from the inside.

I have not seen a car where I can lock my key inside in... idk 10 years maybe ?

edit : I meant keys inside the car but no one inside.

Yeah, that's what I meant, the last car I was able to do this was a first model Peugeot 205 (25 years old now), even with a 20 year old model, it was already not possible.

One thing I can't understand: a $500 phone can unlock itself with my fingerprint, why can't a $50k car? I'd trust that a lot more than a minimum-wage phone operator somewhere.

All those "nifty" things are potentially available to hackers too though!

One example is that you can turn on the heat using your phone. Very nice if you live in a place with cold winters. Volvo does this.

One annoyance with Volvo though is that you can remotely open the windows by (accidentally) holding down the unlock button (i.e. by sitting on your keys), but you can't remotely close them again. You have to get into the car to do that from inside... apparently a safety feature (I called to find out how to do this).

Exactly my thoughts, what is the use of the OnStar stuff in the first place apart from just being a "gimmick": "Hey look, I can beep my horn from my phone!".

Where is my car in this parking lot?

"Hey look, I can beep my horn from my phone!"

Surely there's better ways of achieving the goal of finding your car in a car park

It's a shame we don't have like little keychains that can unlock or beep our cars from afar. We're not living _that_ far in the future though, I suppose.

Yeah, it's called being observant when you park your car. I mean, how hard is it to look around and remember a few landmarks?

That kind of depends how drunk you are. And that might matter a lot more once the cars start driving themselves.

Which is incredibly stupid, and forbidden in most European countries: you cannot use your horn unless it's an emergency. Finding your car is not an emergency.

> you cannot use your horn unless it's an emergency

Hahaha, you've never been downtown in a European city, have you?

LOL I've done this so many times... who ever remembers where they left their car? I lose mine at the station almost every day :D

It's kids paradise. If you're smart enough, you can create your own symphony in the local parking lot. Starting up all those engines will be fun too!

Why embedded platforms does not give a damn about security? It looks like they just don't care.

It's not only embedded systems.

In general businesses care about short term profit (sure in the long term a hack is bad for business but share holders don't care except in the cases were it would be fatal to the business).

Engineers are pressed to get it done anyway possible and as fast a possible. The ones that push back get fired or moved to another project.

The fact remains that adding security and encryption requires more knowhow and adds a layer of complexity which results in more time required.

> Engineers are pressed to get it done anyway possible and as fast a possible. The ones that push back get fired or moved to another project.

This. Also incompetent engineering teams could be a major factor.

here's a scenario, let's say that GM goes hog wild after this and hires every expert security researcher with experience in this domain. they create an internal tiger team for security. they re-organize their entire product delivery pipeline to incorporate internal and external security audits and they publish everything they do. and they create and fund an open bug bounty program for bugs in all auto manufacturers (proxied through a non-profit) and make a "pwn2own for cars" or something and after five years, GM cars are measurably more secure than any other car manufacturer.

in this future in five years, do you buy GM? no? that's why they don't give a damn about security.

There are two factors in play here and your scenario only accurately measure one:

1) If GM cars security is the best of the market will it carry any weight in the purchase decision (as compared to all the other factors)?

2) If GM cars security is not the best of the market and one of their security incidents make headlines in mainstream TV and newspapers will it carry any weight in the purchase decision (as compared to all the other factors)?

People don't pay attention when things that are supposed to work properly do so but when they don't it carries a lot of weight in the purchase decision. See the Toyota slump [1] in the U.S. market share between 2009 and 2011 caused by many factors but certainly with a contribution of the bad news related to the recalls [2]

[1] http://online.wsj.com/mdc/public/page/2_3022-autosales.html#...

[2] https://en.wikipedia.org/wiki/2009%E2%80%9311_Toyota_vehicle...

Security is balanced against cost in a risk-based assessment. One of those factors is certainly bad publicity and lost sales, and that might actually be a fairly small number. But there are still other ways to weight the argument in favour of security. For example: regulatory fines, senate investigations, class action lawsuits, directors going to prison, cost of recalls, etc.

So although GM may not have much security pressure from the consumer, depending on the surrounding legal and regulatory environment, creating more secure cars might end up being a sensible move.

I guess what I'm saying is that I agree that currently there isn't as strong pressure for security as I'd like. But that can change and not just from the consumer/sales side.

You could make a "drive by" (in the literal sense) gizmo that bricks vulnerable cars, maybe even causes expensive physical damage. Can you start a car fire by controlling fuel pressure pumps and injectors, or destroy a turbocharger? Stick a ten minute delay in your injected code and you're long gone.

GM (or really, virtually any car manufacturer with the possible exception of Tesla) would be caught flat-footed.

Firmware in consumer products (especially where radio or network access is present) needs to have a security model. Car makers have been betting they didn't need to spend much money worrying about security; it doesn't look like that bet is going to pay off.

If this becomes a thing that any kid with $30 of electronics can do, dinosaur makers are toast.

I hate to break it to you, but any kid with USD 0.10 can start a fire in a car today. It requires a.) one rock and b.) one box of matches. Break a window with the rock, then throw lit matches onto the upholstery. Really, the threat model is NOT disaffected kids.

why do you specify "embedded" ? after each hack, when I see that X company stores password either unhashed, or weakly hashed, the conclusion is that almost no ones gives a damn about security. and no one will until failing to properly secure sensitive customer data is enforced with hefty fines.

While the paranoia about this has been rampant for a while, this article (from last year) points out that manufacturers ARE working on this and have been for some time:


Continental, one of the world's three major auto parts suppliers, is partnering with IBM (IBM) and Cisco (CSCO) to make firewalls that control the information flow between the car's devices. Until it gets security all figured out, the German company is holding back from adding full Internet connectivity features, such as real-time information from the engine that alerts the local car shop ahead of time.

Ford (F) hardware has built-in firewalls to prevent malicious tampering, and the company has a team of noble hackers constantly probing for weaknesses.

Toyota (TM) does all that too, plus it embeds security chips in the tiny computers throughout the car, narrowing how they communicate and lessening the chance of outsider interference. The company even has forward-thinking plans this year to visit the world's largest hacker conference, Black Hat.

It should be no surprise that Tesla (TSLA) is ahead of the pack. The Model S is the most advanced and connected car currently available. It's worth noting the company's mature approach to addressing vulnerabilities. Instead of hunting down hackers who spot weaknesses, they reward them with an "Information Security" badge that works like a Willy Wonka golden ticket, granting exclusive access to Tesla's factory in Fremont, Calif. The company recently sent one to a British hacker who goes by Jon of Bitquark.

But of course the government isn't helping much either. . .

...federal regulators will soon demand that cars automatically relay information wirelessly to one another as part of the U.S. government's vehicle-to-vehicle communication program. Those car-to-car messages will one day be able to engage brakes -- or your steering wheel.

"...federal regulators will soon demand that cars automatically relay information wirelessly to one another as part of the U.S. government's vehicle-to-vehicle communication program. Those car-to-car messages will one day be able to engage brakes -- or your steering wheel"

That's bad. Governments are (by far) the most violent organizations on earth. They expand to control everything they can. The actions of power are always to increase one's reliance on it. It's almost a law of nature. If we give up our ability to control our momentum and kinetic energy, it's more than a slippery slope. It's a path to black boxes in everything, including people.

>> We take all cyber matters seriously

Because nothing says serious security like using the word "cyber" twice in your statement.

I'm sticking with my old cars that have no computers and start with a key.

Same here although I wonder if any vehicles allow you to shut off the wireless radios a la "airplane mode".

Your car is insured and is easily replaceable.

Car theft has declined precipitously in recent years. According to the NY Times [1], in 1990 there were 147,000 cars reported stolen in NYC. In 2013, that number had dropped to 7,400. On a per capita basis, it went from 1:50 to 1:1,100; a 96% drop. This dramatic reduction in theft cannot be solely attributed to an overall reduction in crime either.

This is not an argument for the status quo. I'm just pointing out that the principles being espoused in the responses here aren't axioms, they're value judgements. As software developers, we're taught to be hyper-paranoid when it comes to security, and we should be. That's how a culture of security is built.

However, in a broad sense, a balance must be struck. Like it or not, there is an acceptable rate of car theft, and that rate is non-zero. The acceptable theft rate is defined by what consumers are willing to pay to insurance companies to take on the risk and the assessment of the balance between probability and the anticipated inconvenience of having their car stolen. Consumer choices are defined by the alternatives, though. If the solution is that cars shouldn't have these features at all, can you find that car? What else do you give up in the process? Unless automakers ignore the problem, and theft rates skyrocket, buyers are still going to seek out these network enabled features because their convenience outweighs the risks.

Of course, it could be argued that we'll see a rise in theft again as criminals learn to use new technologies to steal cars. This has already happened in some places. BMW has run in to a couple of fairly high profile cases of this recently. In one case, attackers combined the easy accessibility of the ODB II port from a broken window with a security weakness in the cars software to bypass all the theft protection. No network access required!

The linking of the CANbus to network systems is too enticing from a consumer convenience perspective. That genie is out of the bottle.

1: http://www.nytimes.com/2014/08/12/upshot/heres-why-stealing-...

For reasons like this, I am remain very wary of the Internet of Things.

IoT is one of the most useless large-scale projects that humanity has embarked on. A giant waste of resources across thousands of companies, so your fridge can order more milk for you. Spending billions in solving a non-problem, and creating a myriad of vulnerabilities everywhere.

It would be amazing if we as a society would spend all that money and effort in worthy problems.

"It would be amazing if we as a society would spend all that money and effort in worthy problems."

On the contrary, monetization for the sake of wealth generation is a worthwhile effort in a society based on materialism & selfish desires. We have been programmed all our lives to take & want & connive(perfected to a science in the US & most 1st World countries), that's what capitalism has evolved to, IMO. This Internet Of Other Peoples' Things is just the latest, most efficient way they have found to wheedle, cajole and manipulate us fools from our money!Plus, don't forget the data collection opportunities! Hitler would love the IOOPTs.

Although, Windows 10 looks to be breaking some pretty scary ground. Google & Apple eat your hearts out!

We should start calling the Internet of Things the Software Apocalypse.

Samy does some great hacks, always impressed with the amount of effort he puts into developing the hack. Here's his video which the article is based on https://www.youtube.com/watch?v=3olXUbS-prU

Also his motorized combo lock breaker has made HN front page before https://www.youtube.com/watch?v=YcpSvHpbHQ4

Also Evercookie and a drone that seeks and hacks other drones. His output is seriously impressive.

Is there any sort of hardware network "OFF" switch in these bad-ideas-on-wheels?

I'm not certain, but I imagine removing the comms would mitigate the threat. First thing I did when I bought my new~ish GMC was remove the OnStar module from under the backseat. I'm sure there is still a 'blackbox' somewhere, but never found *ny indication it has WAN capabilities. Of course, I disabled XM too... not so much for paranoia's sake, I just needed an input for my media device.

The prefix code to control my car's shields is 16309. Maybe I should change it.

Is the car receiving commands indirectly through OnStar itself or directly from a smartphone connected to the in-car wifi?

The commands are likely brokered through a cloud based service. It sounds like the OnStar hack captured the authentication token and used that to talk to the central service to send commands to the vehicle.

Self driving cars are going to be fun

You had me at locate.

Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact