How safe is your vehicle when having access to cyberspace ? GM Hacked Again

teamzr1

Supporting vendor
May 2022 - General Motors itself suffered a hack that exposed a significant amount of sensitive personal information on car owners names, addresses, phone numbers, locations, car mileage, and maintenance history.

The Detroit-based automaker revealed details of the incident in a breach disclosure ( see attached PDF below) filed with the California Attorney General’s Office not until May 16.
The disclosure explains that malicious login activity was detected on an unspecified number of GM online user accounts between April 11 and 29.

Further investigation revealed that the company had also been hit with a credential stuffing attack, which saw hackers infiltrate user accounts to steal customer reward points, which they then redeemed for gift cards. Credential stuffing is a rudimentary type of cyberattack that involves using lists of previously compromised login credentials to hack into online accounts. Such lists can be purchased with relative ease on the dark web.

We took swift action in response to the suspicious activity by suspending gift card redemption and notifying affected customers of these issues.
We also took steps to require those customers to reset their passwords at their next log in, and we reported this incident to law enforcement,” the company says. Customers whose reward points had been abused were subsequently replenished with new reward points, the company added.

In addition to the reward points theft, the incident also exposed a significant amount of user information.
GM’s breach notification lays out a full list of the information that may have been compromised by the hackers:

• first and last name
• personal email address
• home address
• username
• phone number
• last known and saved favorite location
• OnStar package (if applicable)
• family members’ avatars and photos
• profile picture
• search and destination information
• reward card activity
• fraudulently redeemed reward points

It’s unclear exactly how many customers were affected by this breach, though we know it’s more than 500 in California alone. California law requires that companies file public breach notifications to the OAG in cases where the number of state residents affected by the incident until is greater than 500 people.
But this is nothing new as GM and other nameplates have been hacked over and over again over last 10 years

In GM’s vehicles is no better as Onstar which is a spy to vehicles & their owners also opened the vehicles network to countless crooks

A pair of security researchers showed they could hack a Jeep over the Internet earlier this summer to hijack its brakes and transmission, the impact was swift and explosive: Chrysler issued a software fix before the research was even made public.
The National Highway Traffic and Safety Administration launched an investigation. Within days Chrysler issued a 1.4 million vehicle recall.

But when another group of researchers quietly pulled off that same automotive magic trick five years earlier, their work was answered with exactly none of those reactions.
That’s in part because the prior group of car hackers, researchers at the University of California at San Diego and the University of Washington, chose not to publicly name the make and model of the vehicle they tested, which has since been revealed to be General Motors’ 2009 Chevy Impala.
They also discreetly shared their exploit code only with GM itself rather than publish it.

The result, WIRED has learned, is that GM took nearly five years to fully protect its vehicles from the hacking technique, which the researchers privately disclosed to the auto giant and to the National Highway Traffic Safety Administration in the spring of 2010.
For nearly half a decade, millions of GM cars and trucks were vulnerable to that privately known attack, a remote exploit that targeted its OnStar dashboard computer and was capable of everything from tracking vehicles to engaging their brakes at high speed to disabling brakes altogether.
 

teamzr1

Supporting vendor
“We basically had complete control of the car except the steering,” says Karl Koscher, one of the security researchers who helped to develop the attack. “Certainly it would have been better if it had been patched sooner.”
But the researchers argue that GM’s years-long failure to fully protect its vehicles from that attack doesn’t reflect on GM’s negligence, so much as a lack of security preparation in the entire industry of Internet-connected cars.
Automakers five years ago simply weren’t equipped to fix hackable bugs in their vehicles’ software, the way that Microsoft and Google have long fixed bugs within weeks or even hours after they are disclosed to them. And many of those companies may not be much better prepared today.
“They just didn’t have the capabilities we take for granted in the desktop and server world,” says Stefan Savage, the UCSD professor who led one of the two university teams who worked together to hack the Impala. “It’s kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn’t a universal incident response and update system that exists.”
In fact, GM tells WIRED that it has since developed the ability to push so-called “over-the-air” updates to its vehicles. The company eventually used that technique to patch the software in its OnStar computers via the same cellular Internet connection the UCSD and UW researchers exploited to hack the Impala. Starting in November of 2014, through the first months of 2015, the company says it silently pushed out a software update over its Verizon network to millions of vehicle with the vulnerable Generation 8 OnStar computer.
Aside from the strangely delayed timing of that patch, even the existence of any cellular update feature comes as a surprise to the UCSD and UW researchers. They had believed that the OnStar computers could be patched only by driving them one-by-one to a dealership, a cumbersome and expensive fix that would have likely required a recall.
GM chief product cybersecurity officer Jeff Massimilla hints to WIRED that performing the cellular update on five-year-old OnStar computers required some sort of clever hack, though he refused to share details.
"We provided a software update over the air that allowed us to remediate the vulnerability,” Massimilla writes in an email. "We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”
But Massimilla also admits that GM took so long to fully protect its vehicles because it simply wasn’t ready in 2010 to deal with the threat of car hackers. He contrasts that response to GM’s cybersecurity practices today, such as issuing a fix in just two days when it was alerted to a flaw in its iOS OnStar app in July. “The auto industry as a whole, like many other industries, is focused on applying the appropriate emphasis on cybersecurity,” he writes. “Five years ago, the organization was not structured optimally to fully address the concern. Today, that’s no longer the case.”
A Brilliant Hack Lullaby Ahead of Its Time
GM’s glacial response is partly a result of just how far ahead of its time the UCSD and UW researchers’ OnStar attack was.
Their technique, described in a pair of papers in 2010 and 2011, represented a brilliant and unprecedented chain of hacker attacks integrated into a single exploit.
The intrusion technique began with a phone call to the Impala’s OnStar computer. Because Verizon’s voice network coverage was more reliable than its data network, the OnStar computers were programmed to establish a connection to any computer that played a certain series of audio tones, like an old-fashioned modem. UW’s Koscher reverse engineered that audio protocol and created an mp3 file that could trigger a vulnerability in the computer known as a “buffer overflow.”
From that initial audio attack, the attackers could pivot to take control of the OnStar computer’s higher-bandwidth data connection and finally penetrate the car’s CAN bus, the collection of networked computers inside a vehicle that control everything from its windshield wipers to its brakes and transmission.
Put simply, “you play this song to it, and the car’s taken over,” says UCSD’s Savage.
How GM Tried (And Failed) to Fix It: A Timeline
GM did, in fact, make real efforts between 2010 and late 2014 to shield its vehicles from that attack method, and patched the flaws it used in later versions of OnStar. But until the surreptitious over-the-air patch it finished rolling out this year, none of its security measures fully prevented the exploit in vehicles using the vulnerable eighth generation OnStar units.
Given that GM told the FCC it had two million Generation 9 Onstar computers deployed in 2011, former UCSD researcher Stephen Checkoway estimates that it had sold at least that many Generation 8 OnStar-enabled vehicles, too. “I would expect there were still several million vulnerable vehicles on the road,” Checkoway says.
Instead of updating the software on those Generation 8 OnStar units, GM first tried to block the attack on its cellular network. Sometime in 2011, it had Verizon put in a place a new measure on its wireless network to block data connections from OnStar computers to any server other than those approved as those belonging to GM.
But the researchers quickly found that a flaw existed in that fix, too. One in every 10 or 12 times that they restarted their Impala, its OnStar registered with the Verizon network in a way that somehow failed to prevent it from connecting to a malicious server, allowing their exploit to work again;
An attacker could have auto-dialed thousands of phone numbers to find and hack the fraction of vehicles in that unsafe mode. Even the researchers say they never fully understood why the Verizon network protection measure failed, though they say they warned GM about the problem within a few months of finding it.
GM claims that it responded by tweaking its network protection again, but even those secondary measures seem to have failed.
In 2012, the researchers were able to demonstrate their Impala hack for a PBS documentary despite Verizon’s and GM’s attempts to block it.
In late 2014, they demonstrated it yet again for a 60 Minutes episode that would air in February of 2015
 

Attachments

  • 2022 notice.pdf
    195.4 KB · Views: 0
Top