Wired published a fascinating article today on the car industry’s slow response to security flaws revealed by the car hack led by UW CSE professor Yoshi Kohno and UCSD professor (and UW CSE Ph.D. alum) Stefan Savage five years ago. The article notes that it took the affected manufacturer, General Motors, five years to issue a fix to its millions of vehicles equipped with the OnStar system that the team demonstrated was vulnerable to attack.
From the article:
“When a pair of security researchers showed they could hack a Jeep over the Internet earlier this summer to hijack its brakes and transmission, the impact was swift and explosive….
“But when another group of researchers quietly pulled off that same automotive magic trick five years earlier, their work was answered with exactly none of those reactions….
“For nearly half a decade, millions of GM cars and trucks were vulnerable to that privately known attack, a remote exploit that targeted its OnStar dashboard computer and was capable of everything from tracking vehicles to engaging their brakes at high speed to disabling brakes altogether.
“ ‘We basically had complete control of the car except the steering,’ says [UW CSE Ph.D. alum and UCSD postdoc] Karl Koscher, one of the security researchers who helped to develop the attack. ‘Certainly it would have been better if it had been patched sooner.’ ”
The article explains how the research team chose to notify GM and federal regulators of the vulnerability, instead of publicizing it widely as was the case with more recent car hacking demonstrations. Although it took five years for GM to issue a fix, that was less an issue of negligence than of a lack of preparation industry-wide. As the article explains it:
“GM’s glacial response is partly a result of just how far ahead of its time the UCSD and UW researchers’ OnStar attack was. Their technique, described in a pair of papers in 2010 and 2011, represented a brilliant and unprecedented chain of hacker attacks integrated into a single exploit.”