Another Reason GM May Have Come Around to CISA

Last week, Wired had a story about a hack of GM vehicles that the car company took 5 years to fix. As the story explains, while GM tried to fix the vulnerability right away, their efforts didn’t completely fix the problem until GM quietly sent a fix to its vehicles over their Verizon network earlier this year.

GM did, in fact, make real efforts between 2010 and late 2014 to shield its vehicles from that attack method, and patched the flaws it used in later versions of OnStar. But until the surreptitious over-the-air patch it finished rolling out this year, none of its security measures fully prevented the exploit in vehicles using the vulnerable eighth generation OnStar units.

The article uses this is a lesson in how ill-equipped car companies were in 2010 (notably, right after they had been put through bankruptcy) to fix such things, and how much more attentive they’ve gotten in the interim.

GM tells WIRED that it has since developed the ability to push so-called “over-the-air” updates to its vehicles. The company eventually used that technique to patch the software in its OnStar computers via the same cellular Internet connection the UCSD and UW researchers exploited to hack the Impala. Starting in November of 2014, through the first months of 2015, the company says it silently pushed out a software update over its Verizon network to millions of vehicle with the vulnerable Generation 8 OnStar computer.

Aside from the strangely delayed timing of that patch, even the existence of any cellular update feature comes as a surprise to the UCSD and UW researchers. They had believed that the OnStar computers could be patched only by driving them one-by-one to a dealership, a cumbersome and expensive fix that would have likely required a recall.

GM chief product cybersecurity officer Jeff Massimilla hints to WIRED that performing the cellular update on five-year-old OnStar computers required some sort of clever hack, though he refused to share details. “We provided a software update over the air that allowed us to remediate the vulnerability,” Massimilla writes in an email. “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”

What Wired doesn’t note is that GM was in the thick of recall hell by November 2014 because of its delay, during the same period, in fixing ignition problems. It’s not just the network problem GM wasn’t fixing, it was more traditional problems as well. Whatever hack GM pulled off, starting in November 2014 as a kluge to fix a long-running problem, GM did so while under great pressure for having sat on other (more obviously dangerous) problems with their cars. GM also did so knowing their recognizable Impala would be shown on 60 Minutes exhibiting this problem.

In late 2014, they demonstrated it yet again for a 60 Minutes episode that would air in February of 2015. (For both shows they carefully masking-taped the car’s logos to prevent it from being identified, though car blog Jalopnik nonetheless identified the Impala from the 60 Minutes demo.)

So GM had a lot more urgency to find curious hacks in November 2014 than they did in 2010.

That obvious urgency doesn’t stop GM from claiming they’ve changed their ways, pointing to a quick fix they made in July (though they said nothing about the apparent vulnerability of Escalades to the same hack researchers used on a Jeep Cherokee).

Massimilla also admits that GM took so long to fully protect its vehicles because it simply wasn’t ready in 2010 to deal with the threat of car hackers. He contrasts that response to GM’s cybersecurity practices today, such as issuing a fix in just two days when it was alerted to a flaw in its iOS OnStar app in July. “The auto industry as a whole, like many other industries, is focused on applying the appropriate emphasis on cybersecurity,” he writes. “Five years ago, the organization was not structured optimally to fully address the concern. Today, that’s no longer the case.”

While I think the article pays too little attention to the recall bonanza in the industry and how that may have changed GM’s attentiveness to cybersecurity flaws, it claims that one thing that has motivated quicker responses is that, unlike the researchers who did the original hack on OnStar, researchers are now releasing their results generally. Significantly, the researchers that found this problem have now switched to full disclosure of their results.

Savage says that if he were doing the same research today, he’d reconsider the decision to shield GM from public pressure. When he, Koscher, and other researchers revealed another car hacking technique in August, for instance—this time hijacking cars through a common Internet-connected gadget many drivers plug into their dashboards for insurance purposes—they publicly named every company whose bugs they’d exploited.

I raise all this not just for what it says about cars and hacking but also — of course — because of what it says about cybersecurity policy.

As I’ve noted, GM was actually a late supporter of CISA, writing a letter to announce their support just before recess in August, when business groups were making a big push to get it passed. I suggested at the time that GM might have been motivated by their Escalade vulnerability, hoping (possibly knowing) that if they revealed such vulnerabilities to authorities the government — the entire government, according to the plain letter of CISA — would be unable to launch any action against the company. On its face, it would appear that limitation would apply to NHTSA.

I’m not sure how this would work in practice — and neither are any of the lawyers I’ve been asking about this. But GM now knows that NHSTA is under far more pressure to order expansive recalls. And it also knows that researchers will default to publishing their research on vehicle insecurities, unlike what they did for this hack 5 years ago.

Those two things may well explain GM’s sudden interest in sharing information with the government.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

15 replies
  1. wallace says:

    quote”Starting in November of 2014, through the first months of 2015, the company says it silently pushed out a software update over its Verizon network to millions of vehicle with the vulnerable Generation 8 OnStar computer.”unquote

    Hahahahahahaha! A software update sent over GM’s Verizon network..to millions of vehicles. right.

    Why do I get the feeling, someday, millions of GM’s(and other brand) vehicles will be permanently stopped in their tracks ..at the same moment.

    Ashley Madison comes to mind.

    Time to hug my 82 Corolla.

    • wallace says:

      quote”Why do I get the feeling, someday, millions of GM’s(and other brand) vehicles will be permanently stopped in their tracks ..at the same moment.”unquote

      Yeah, well wait till a few hundred million HVAC systems, refrigerators, stoves ,toasters, lighting systems, locks, communications and god knows what else is connected to the Internet of Things.. all go crazy at the same time. Who needs nukes to bring down Murika.

  2. Stephen says:

    Massimilla writes in an email. “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”

    Why does that make me even more uneasy about GM cars? After all, the very concept of a hack–ANY hack–is to make a particular computing system do things its makers may “not necessarily [have] designed [it] to do”.

    The very knowledge that such a method is possible at all means that right this moment somewhere one or more hackers are beavering away trying to ferret out what that method is–and how to exploit it themselves.

  3. orionATL says:

    of course one could ask why these vehicles have such hackable computer equipment.

    have environmental and energy concerns, which i believe is where ecu’s got their original rationale, been superceded by gizmo and dodad sales concerns?

    i sat in my car recently parked next to a cadillac escalante. suddenly it starts up with no one inside. 45 seconds later a guy walks up and gets in and drives away.

    who really needs this crap?

    what cutomers really want them?

    did the industry not learn anything from the toyota “old folks with their shoe caught in the rug” coverup and then debacle.

    • wallace says:

      quote”of course one could ask why these vehicles have such hackable computer equipment. have environmental and energy concerns, which i believe is where ecu’s got their original rationale, been superceded by gizmo and dodad sales concerns?”unquote

      GM hired the same Junior VP for Embedded Systems Security (JVPESS) who,
      quote”for his implementation, chose a chip so stupid the Republicans want to field it as Trump’s running-mate, wrote a communications spec that did exactly and only what was in the requirements, and briefed the embedded software engineer.”unquote

      http://www.theregister.co.uk/2015/08/27/smart_home_insecure/

      He was mentored by the Samsung JVPESS who’s implementation of the Smart TV and Refrigerator was so spectacular.

      not.
      Meanwhile, teh Internet of Things will only get better…

      quote”The product is a market hit, and within a month, blackhats have dropped malware on a million Android phones, and users get messages at 14 minutes past midnight demanding 0.56 Bitcoin to switch off the message, and Nielsen thinks the top-rating show airs at 2AM on a community radio station in West Bumcrack, Iowa, whose only content is speeches from YouTube by Julian Assange and Edward Snowden.”unquote

      Wait till GM owners become victims of ransom demands to start their cars.

      • wallace says:

        Moreover..Wait till GM owners become victims of ransom demands while DRIVING or else…the brakes will not engage, the steering won’t steer..and the accelerator will plunge to MAXIMUM SPEED.

        ain’t digital wonderful.

        sheezusHfuckingchrist. Speaking of Michael Hastings..anyone who can’t see the writing on the wall is fucking blind. After one single person is killed by virtue of this bullshit…GM or any other car manufacturer won’t be able to GIVE THEIR CARS AWAY FREE.

  4. orionATL says:

    how about this?

    how about a car manufacturer can’t use an electronic part in a vehicle until it has been proven reasonably unsubvertable.

    you know, like they do with prescription medicine.

    you know, like they never have done with industrial chemicals.

  5. joanneleon says:

    The Internet of Things is one of the dumbest concepts I’ve ever seen. I’ve been in the software biz for decades.

    On GM – so they hacked their cars to send out an update to quietly fix a vulnerablility that allows their cars to be hacked. Comforting. Did they leave that new vulnerability in place so that they can send out updates to fix future problems?

  6. wallace says:

    ps..on the other hand, given the decade long GM ignition problem that killed numerous people, I’m not so sure. After all, they don’t call America the Dumbest Fucking Country on the Planet for nothing.

  7. bloopie2 says:

    “… hoping (possibly knowing) that if they revealed such vulnerabilities to authorities the government — the entire government, according to the plain letter of CISA — would be unable to launch any action against the company.” Geez, if any of my devices are hackable (which I assume all of them are); and if I tell the government that my devices are hackable; then, does that mean that the government can’t hack them to discover contents and go after me for what they find? I gotta believe GM would back me up on that. See, if the government could hide behind a “legitimate law enforcement investigation” argument, then GM wouldn’t get its freedom from NHTSA!

  8. RUKidding says:

    These are the reasons why I still regret getting rid of my 1991 Camry somewhat recently (almost 260,000 miles on it), even though it had few safety features – no air bags, no anti-lock breaks. All this hackability. Cars, these days, are mostly one giant computer.
    *
    As for my home, the only thing that can be hacked (and probably is routinely) is my phone. No TV and certainly none of my appliances or HVAC system are connected to the Internet. Dumb thing to buy that crap. No computer at home.

    • wallace says:

      quote”The problem caused crashes that killed at least 124 people and injured 275 more, according to lawyers in charge of a fund set up by GM to compensate victims. Families of those who died will get at least $1 million. GM has set aside $625 million to compensate people, and also faces multiple lawsuits from the problem.”unquote

      GM products kills 124 people while hiding defects in their products and no one gets arrested.
      A 14 year old brings a clock to school and gets arrested.
      right.
      In a sane parallel universe, CEO’s of company’s that hide defects in their products that kill scores of human beings, get publicly hanged while bigoted police who, under the color of law and under the influence of stupidity, arrest and publicly shame 14 year old students, get publicly flogged, tarred and feathered.

Comments are closed.