Car computer exploits, local and Internet based. M.A.

Newhall Risks

Onstar, Risks and remediation. v.3

There are hundreds of thousands of laws on the books, disproportionately many of them are aimed at both the safe manufacturer and operation of motor vehicles. Cars are valuable but can be deadly, as two (or more) ton missiles careening through public places. Injuring and killing not only those outside their metal shells but their occupants. But the fault has largely been focused in two areas. Those who designed and manufactured the car, and those who operate it. There is now a new area of risk. Total strangers seeking political power and financial rewards, in other words terrorists and ransomers. Over the past decade cars have continuously had more and more of their operations controlled by internal computers. In a sensible engineering decision, more and more of these functions were controlled by individual computers. They now communicate with each other on what is known as the CAN bus. Unfortunately the devices on this bus have more or less unlimited access to each other. While your climate control system (for example) may not be interested in what your anti lock brake control unit is doing, it can see it none the less. This presents a problem as any vulnerable component may send signals to any other. It is not unusual or may even be necessary for computer networks to be vulnerable internally, but will typically have carefully audited exterior facing computers. External to what? Sources of data and programs not originating from the designers. Most cars have many external sources of data, and possible sources of exploits. The standard OBDII port, a DVD slot on the entertainment, a bluetooth connection typically meant for cell phones, and USB data and maintenance ports, possibly on multiple units. These input methods all represent significant risk but two large challenges for a would be attacker. Either they need to get physical access to the unit, or trick someone with access to the car into installing an exploit. Both of these are spotty, time consuming, and unreliable for mass action. I should point out there is one exception to the above, an exploited cell phone could be used to in turn exploit a vulnerable bluetooth receiver in the car. This is a slightly elevated risk for a mass or batch remote attack, but this risk is hampered by both the chaotic diversity of the car markets and the cell phone markets. A simple suggestion for manufacturers, cars should not plainly identify their make and model and year when pairing. This data is usually saved by the phone. The highest risk for the computer CAN network, same as computer LANs at the home or office, comes from the Internet. Onstar units are an example of a direct connection facing the Internet at large. The only firebreak between the Internet and your car's physical Onstar unit is Onstar's corporate network security. This is a huge risk. This is not criticism of Onstar's network security layout which is probably excellent and sensibly not published. But Onstar is a very high value target. Probably similar in worth to the biggest banks and stock markets. When the value is measured in the billions, the highest illicit talent will be attracted. In the long run, a successful attack is inevitable. Putting high value target vehicles like cars used by law enforcement, in harms way by leaving Onstar enact is an invitation to disaster. Using bluetooth to control and stream Internet services via the cars entertainment system on demand, is the closest any car should come to the Internet. The chaos of market choices of both cars and phones will limit the ability of an attacker to control entire model line ups of cars across cities or even countries. Consider the uniformity of say, 2009

Impalas in a particular city. An Onstar unit will be tougher to get to, but once the hacking is complete, the entire fleet is exploited. Directly connecting any car with a two way connection to Internet is the problem. I am not speaking of one way connections like how an airbag deploy distress signal could have been implemented. (If unlike Onstar it is implemented as a one way signal) or a one way incoming signal like XM radio. Onstar is a 3 watt (unlike your .6 watt handheld) cell phone, currently subscribed to the Verizon network. It is always connecting to nearby cell towers same as your phone. It can be contacted or can call out at any time, without you knowledge. Just like your computer connection at home is constantly answer requests, even when you are idle. As a clarification, once active analog cell service Onstar customers are not safe. While their cars no longer in connect with the Onstar network in some ways they are more at risk. Their software is dated and uncared for, and their Onstar units are still searching for an analog signal as they drive. A clever hacker can set up a makeshift analog antenna and pose as Onstar taking over every car as they pass his location. So how exactly would a hacker 'take over' a car? Onstar already has numerous consumer features available to a attacker. Remote start and stop, lock and unlock the doors, and the ability to limit the car's ability to accelerate. These can all be accomplished with no special code once the Internet facing Onstar operation is infiltrated (or a man in the middle established.) These exploits are frustrating and can be deadly in certain emergency situations, but are the tip of the iceberg. An attacker could send a signal to reprogram a particular computer controlled system. This is where the highest risk comes in. Once permission was established to reprogram any component, most simply it could be reprogrammed with non functional code or even random data. This would render the component and possibly the car inoperable. Depending on the details the computer in question could be rendered permanently damaged or bricked. The financial impact of doing this to every effected vehicle in an entire city at once would be devastating. If reprogramming were successful the car could likely be remote controlled. The newest cars have most or all drivetrain, suspension and brake components controlled by computer. An exploited Onstar unit could set up a two way feed to remote control the car. The driver could only watch in horror as their vehicle ran amuck. Responding in a limited fashion or not responding at all to driver input. Traction control - power directed to a particular wheel. Stability control - braking directed to a particular wheel. Collision alert - preloading and lightly applying the brakes. ABS - heavy (or no) braking. Cruise control - acceleration. cameras - there are cameras all over the car. Electric power steering - computer controlled.

Thankfully GM models don't have parking assist or purely electronic shifting, yet. But once the car is put into gear control of it may belong to someone else. As for real world feasibility I suggest you study the stuxnet virus. It was as complex (if not more so) than would be needed for any of the above. It was wildly successful at attacking physical Iranian SCADA systems. Attacks of this nature may need to be well funded and organized by many people working together, but are proven feasible. Also a recent study involving a Toyota Prius and Ford Escape demonstrated plainly the feasibility of hacking component computers, including

hacking via the CAN bus. If you are inspired to remove your Onstar service and physical unit now, you will be disappointed. Most modern cars have onstar modules with other key features integrated into the same box. If you contact Onstar they will disable your account on their servers and extinguish a few LEDs in your vehicle. They will not guarantee this terminates cell packet traffic, initiated in either direction. As for physical removal of the unit, I was told a 2013 terrain is inexorably entwined with Onstar so that it can not be removed. A check engine light, a nonnegotiable requirement of state inspection in NY state, will be lit. I tested to verify this and instead was greeted by an equally damaging though not technically illegal 'service traction control' message. I do have serious doubts about a conscientious owners ability to get through inspection with such a prominent message displayed. This will probably come to a head now as in the past an aware owner/operator could remove the onstar unit from the car without consequence, and the level of computer control over critical components has crossed the threshold of feasible total remote control. Remediation and Recommendations This is for every vehicle 2009 or newer. Some older vehicles may also be included in this, but it it not exhaustive. GM vehicles are specifically considered because of their always on two way Internet connection. Block all RF transmission from Onstar (or the like) antennas. Fortunately cell transmission is well understood and standardized. Locate your Onstar unit and unplug the antenna. Do not stop there. While schematics are not published, it is well known that a backup antenna is present in the unit. This makes sense as otherwise theft recovery might be too easy to defeat. Install a 50 ohm dummy antenna on the Onstar antenna receptacle. Then wrap the unit in a Mylar bag, to block internal transmission. That way it thinks it is just out of range based on it's absorbed transmission in the dummy antenna. If it does revert back to the (doubtlessly weaker) antenna for some reason the unit it will fail to transmit as well. Testing of the mylar bag for suitability can be performed with any Verizon phone in a good coverage area. Another alternative may be a Bluestar drop in replacement for your onstar module. Contact manufacturer Costar for feasibility and features with your vehicle. Install an remote solenoid based battery kill switch, operable from the drivers seat. <- EVERY SINGLE LAW ENFORCEMENT OFFICER VEHICLE SHOULD DO THIS. Computers stole the idea of 'safe mode' from NASA remote controlled satellites. But NASA likely got the idea from cars. As long as power assist systems have existed, it has been well understood they need to continue to operate when the power is cut. By installing a main battery solenoid based cutoff switch with a toggle switch reachable by the driver, you can force the car off and into a 'mechanical only' state. That should be enough to guide it safely to the side of the road until it can be examined and possibly repaired. Your parking brake will not be able to fight a modern 300+ hp engine. As an aside everyone should try this once on a long closed road. Mechanical only mode may require a whole lot more strength to steer and brake the car. Install non-factory integrated DVD players. DVD players may be exploited by downloaded (probably pirated) dvd iso images. The

unit can then take over your car via the CAN bus. Non factory DVD players eliminate this risk entirely, having no data connection to the car. Upgrade cell phones. Only connect trusted phones to the car.

Upgrade your cellphones to the latest versions. Do not install random programs on them. Don't pair your vehicle with poorly cared for phones with many downloaded programs on them, for instance children's phones. USB Virus scan all USB devices before connecting them to your car. Law Existing Law. Your engine data and GPS data from your driving patterns and routes are copyrighted by you. Your car is the pen by which you author it. Same as writing a letter on laptop, Dell computer corp does not now own a letter you wrote on the computer you bought from them. If you cancel your Onstar service and they continue to receive data from your car, they are stealing your copyrighted work. Legally they are no different than any internet copyright pirates. In addition your copyrighted data has real world value. This is demonstrated by traditional sale of this data to Progressive Insurance company in exchange for a discounted insurance rate. I'll leave the legal implications of these points as an exercise for the reader. New Law With a clear terror threat in place a new law should be passed immediately requiring a 100% effective kill switch for Internet/two way connections built into cars. This would act like an airplane mode on a cell phone or a physical 'wifi off' switch popular on laptops. Well meaning companies need to rethink Internet connections. Corporate good will (and liability) can be both be solved by offering a definitive kill switch for two way Internet traffic. Another possible design is to revert to the single purpose onstar box, which can be removed without consequence. General Motors/Onstar should not wait until the force of law (and the pointed guns that back it) comes down on them after a disaster. That kind of thinking allowed 9/11 to happen. Time to act now.