Is OnStar still susceptible to remote hack attacks?

Fiat Chrysler announced last week that it is recalling 1.4 million vehicles after a team of independent cybersecurity specialists hacked into the company’s Uconnect telematics system over a public cellular network and took control of a number of critical functions – including the brakes, transmission and steering – of a Jeep Cherokee.

Several models are affected, and the software needs to be physically updated via a USB port, either by the owner or at a service center. The automaker also discovered a flaw on the network level that was able to be fixed without any customer action.

This is the first hacking-related recall ever, but it isn’t the first time this type of safety issue has been demonstrated.

In February, “60 Minutes” reported on a multiyear project conducted by the University of Washington -- and demonstrated for the program with assistance from the Defense Advanced Research Projects Agency (DARPA) -- in which researchers were able to hack into the OnStar telematics system of a 2009 Chevrolet Impala. With CBS correspondent Lesley Stahl behind the wheel, they turned on the windshield washers, honked the horn and disabled the brakes.

At the time, a GM spokeswoman said “a solution to the OnStar vulnerability uncovered by DARPA has been found,” but would not confirm when or if it had been implemented. Although the hack was done on an older, unidentified version of OnStar, Chevrolet sold more than 150,000 Impalas that model year, and many more GM models were equipped with the same system.

But, unlike Chrysler, GM has not issued any recalls related to OnStar security or specifically to the 2009 Impala’s embedded system, and a review of technical service bulletins issued for the model turned up none that address it.

Following the Chrysler announcement, reached out to GM to ask again if a solution to the issue depicted on "60 Minutes" had been implemented – and, if so, how. A spokeswoman responded that “vulnerabilities demonstrated several years ago on the DARPA test vehicle have been, and continue to be, addressed. For competitive and security reasons, we will not discuss technical specifications of our systems.”

The spokeswoman did not respond when asked if this meant that GM would not confirm that a security fix had been fully implemented.

John Launchbury, acting deputy director of DARPA’s Information Innovation Office, told in February that the demonstration was performed on an unmodified system over a public cellular network. It was filmed just several weeks before the broadcast, suggesting the exploited flaw was still present then.

Updating to newer versions of OnStar requires service at a dealership, but if the issue solely existed at the network level, it’s possible that a patch could’ve been applied without any notification to owners or action by them.

A few days before the “60 Minutes” report aired, an internal BMW investigation uncovered a flaw in the ConnectedDrive telematics system in 2.2 million of its vehicles that could allow someone to remotely unlock the cars and manipulate their climate and entertainment systems. While it had never been breached by anyone outside of the company, BMW announced that it had issued an over-the-air update to the vehicles to correct it, which did not require a recall.

Launchbury could not be reached for comment on this story, but the lead researcher on the original study, Prof. Yoshi Kohno, compares automotive cybersecurity to a hole in a castle wall, where the car is the castle.

“Let's said that a vulnerability is found in the wall of the castle. There are a number of ways to fix that vulnerability,” Kohno explained. “One would be to make the castle wall stronger. Another would be to add more moats around the castle, so that it is harder to reach the castle wall. Both approaches would help to improve security, and adding the moat doesn't require any modification to the castle wall itself.”

Kohno’s team has never officially acknowledged that it was the OnStar system that it breached, and has no specific knowledge of the steps, if any, GM has taken to protect against a similar attack. But, addressing automotive cybersecurity, he suggests that “it would generally be most desirable to both fix the wall and add the moat, just in case one defensive layer is breached.”

While there have been no other unauthorized OnStar hacks exactly like the University of Washington's, Popular Mechanics reports that well-known “good-guy hacker” Samy Kamkar has developed a local wireless device that, when placed in or on an OnStar-equipped vehicle, can intercept the digital keys that offer access to the OnStar RemoteLink smartphone app. The app works with the system to allow a car owner to start, unlock and locate their vehicle, among other functions.

Popular Mechanics says that GM is working on a fix for that vulnerability, as well.