GM TURNS A NEW LEAF ON HACKERONE?

In December I showed you the painful truth that some vehicles are remotely hackable. Grey hats Charlie Miller and Chris Valasek discovered that hackers are not just limited to spying on some of Chrysler’s vehicles using its Uconnect communications system. No, no. They can also gain control of their radio, phone, GPS, windshield wipers, steering wheel, and even gas pedal and brakes. YIKES!!!

Miller and Valasek quickly published their findings (minus some key code so the hack could not be easily reproduced) and informed Chrysler about it. Then they worked with Chrysler to swiftly create patches for the vulnerable vehicles (download here).

Like Chrysler, General Motors is no stranger to grey hat hackers testing their cars’ security defenses without consent. In 2010 a group of researchers from the University of California at San Diego and the University of Washington privately informed GM that their 2009 Chevy Impalas allowed hackers to gain near complete control of the cars through a weakness in its OnStar communications system.

Amazingly, GM took 4 years to fix this problem leaving many drivers ignorant and vulnerable. I can’t help but wonder if GM would have dragged its feet for so long on this if the researchers had shared their findings publicly like Miller and Valasek did.  

The good news is that GM has finally taken a more active role in ensuring that its cars are more secure. It’s now the first automaker to actually invite ethical hackers to test its security weaknesses and report their findings using HackerOne, a relatively new security disclosure company and website. 

As I explained recently, HackerOne “promises to help make it easier and safer for security researchers to get and manage jobs. […] [It also] enables companies to easily set up bug bounty programs that hackers can peruse and participate in if they wish. (1)”

This is great because theoretically GM should now have a much more streamlined and transparent working relationship with hackers and the public. And even though it’s only been a mere 23 days since its inception, GM’s HackerOne page has already thanked 2 researchers for finding and patching 3 security weaknesses.

So far I’d say they’re off to a pretty strong start!

If you have any questions or comments, you can reach me by email at czs@ethicalhacking.com.

General Motors Co. (GM) signage is displayed outside of General Motor of Canada Ltd. headquarters offices in Oshawa on Aug. 8, 2011. GETTY IMAGES/BLOOMBERG/Brent Lewin - 1. https://goo.gl/vImB8t