Another Car Hack – This Time GM

This is the week for car hacks – because it is the week before the hacker conference Defcon.  In this case, for about $100, a researcher has created a black box that, while no where as dramatic as the Jeep hack, is still unnerving.

The black box is a WiFi hotspot.  It intercepts the communications from the GM Onstar smartphone app and masquerades as the user.  That is certainly a limitation compared to the Jeep hack.  This hack cannot disable your brakes or your accelerator.

What is can do is locate your car, unlock it and even start it – but not drive it away.  If you can unlock it, you can steal anything inside – or plant something inside if you are inclined to do that.

GM has been working with the researcher and claims to have fixed the app (it is not a car problem, it is an app problem).  Not everyone agrees that it is fixed, though.

The problem is, and we have heard this way too many times before,  that although the app uses encryption, it does not make sure that the encryption certificate is owned by GM and not a hacker.

While this attack may be fixed, the researcher will reveal a different exploit using the car’s digital key system.

It turns out that the researcher started working on a completely different exploit but the car maker fixed it – without his help – before he went public.  So a few weeks ago he switched to GM and found these two bugs.  Think about it – he found these buys with a couple of weeks of work.

Now remember, these are the good guys;  they are working with the car makers and they are finding bug after bug.

Do you imagine that the bad guys are not trying to exploit cars also?  Do you think they are not finding anything?  Only difference is that they are not telling the car makers.

Smart cars are not that smart and unless the car makers step up their game, things are likely going to get more ugly before they get better.

Just sayin…

 

 

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code