14 DAY TRIAL // General Motors recently patched a vulnerability in its 2009 Chevy Impala that a group of researchers discovered back in 2010.
According to an interview with Wired, Karl Koscher, one of the researchers that found the flaw in GM's OnStar car management system, the vulnerability granted hackers absolute control over the car's onboard computer, letting them control all of a car's functions.
Koscher says that by dialing the phone number associated with its car's OnStar system, and by playing back a maliciously crafted audio tone, attackers would have been able to trigger a buffer overflow, and sub-sequentially access and gain control of the entire car's computer.
The vulnerability was disclosed to both GM and the National Highway Traffic and Safety Administration.
GM tried to fix it in 2011 and failed
According to GM's statements, the company did try to fix it in 2011, in a joint effort with Verizon, blocking all Internet connections from the OnStar system to any other IP not belonging to a GM server.
This solution mysteriously failed, and as GM's car security capabilities evolved, the company managed to patch the OnStar 8 system deployed on its cars using an over-the-air update in early 2015.
Asked why he and his fellow reporters didn't initially go public with their findings, Koscher said they felt that the automotive industry was not yet ready at that stage to issue a quick fix for their problems.
Going public with car vulnerabilities is the better solution
His opinion on the matter changed as he saw GM fail to address the issue for almost five years, and nowadays he's a firm believer that only by going public, car manufacturers will care enough to fix their problems right away.
And he is right, because just a few days ago Chrysler recalled 1.4 million cars to address a security flaw in their car management computer that would allow attackers to gain control over the car, just like in Koscher's research.
Unlike GM, Chrysler was forced by media pressure and an investigation by the National Highway Traffic and Safety Administration to do so, only two months after the vulnerability was made public.
Ironically, since 2010, Koscher and his colleagues released two research papers about this topic (1, 2) and also made a few public appearances, talking about their hacks on a 60 Minutes episode on CBS, and in a PBS Nova documentary.
There was no controversy in any of those cases because they took great measures to make sure the car make and model could not be identified. Here's a snippet of the 60 Minutes episode below.
