GM’s Cruise Automation Guts Bolt EV Features To Increase Security

Tesla Autopilot


Two former hackers hired by Cruise spoke recently on autonomous vehicle security.

Last week at a Black Hat USA security conference, two well known automotive hackers presented their plan for improving security of the autonomous Bolt EV. Bluetooth connections, 4G internet, wi fi hotspots and other wireless connectivity features are all potential access points for hackers. Charlie Miller and Chris Valasek, security architects at General Motors’ Cruise Automation, used their presentation to make their point that more tech leads to less security.

From Yahoo! Finance:

* In 2011, researchers at the University of Washington and the University of CaliforniaSan Diego took over a Chevy Impala, first by exploiting a vulnerability in its Bluetooth software and then by calling its OnStar cellular radio and playing a special sequence of tones.

* In 2015, Miller and Valasek gained control of a Jeep Cherokee by reprogramming its vehicle-control systems over the internet. This attack could have been written to spread from vehicle to vehicle — a possibility that led Miller and Valasek to not-so-humble-brag, “Damn, that was baller,” in the report they posted after their talk. Fiat Chrysler wound up recalling 1.4 million vehicles to fix the flaw.

* In 2016, the Chinese software giant Tencent’s Keen Security Lab hacked into a Tesla (TSLA) Model S by exploiting vulnerabilities in its dashboard web browser and onboard WiFi. In 2018, the same lab showed how to compromise a BMW i3 through such routes as its cellular connection.

An autonomous vehicle is potentially more vulnerable than the average car on the road today. Automakers are taking this risk quite seriously. The system of cameras, radar and LIDAR sensors is incredibly complex. In order to process inputs from all of these components, a powerful computer is required. Any external connection that is not controlled is a potential vulnerability.

The large computer/hardware unit that fits in the Chevrolet Bolt's hatch.

In self driving vehicles, software safety is a priority for Cruise Automation.

Miller and Valasek have a relatively straightforward guiding principle. Remove unnecessary systems that open vehicles up to remote attacks. “If you don’t need something, take it out ,” Valasek told the attendees.

Bluetooth, satellite radio, and other insecure connections should not have direct interaction with the vehicle. All of these niceties are unnecessary in a self driving car. Freed of the need to drive, Cruise passengers can spend their travel time reading, talking, watching movies, or checking social on their own phone or tablet. In the car, passengers will only be able to interact via a separate stripped down tablet disconnected from the rest of the vehicle.

2019 Autonomous Chevrolet Bolt

Unlike a garden variety Bolt EV, the Cruise autonomous fleet will not receive ‘over the air’ updates. Software updates will be done only with physical media. Cruise wants the car to refuse any inbound connection unless the vehicle requests it first. Even connections between vehicle components must be encrypted if possible. Of course, no automaker has built their existing cars with this in mind. “The components in cars are just so far behind,” stated Miller.

So what is their ultimate goal with cutting the AV Bolt EV off from the connected car future? Miller explained during a Q&A following the talk: “We’re going to make it so hard that they’re going to want to hack something else.”

Source: Yahoo News

Categories: Chevrolet

Tags: , , ,

Leave a Reply

21 Comments on "GM’s Cruise Automation Guts Bolt EV Features To Increase Security"

newest oldest most voted

More tech = more vulnerabilities, which require more security. A remote hacker wouldn’t be able to do jack sh!t with a car from the 1960s. Good to hear GM understands the risks and is taking appropriate measures. Though I don’t believe any modern car is truly hack-proof.

Nothing network connected is hack-proof, but as the closing paragraph indicates, the goal is to raise the level of difficulty of hacking to the point where hackers will choose an easier target. However, I’m sure someone will still find a way to hack a Bolt AV, just because that seems to be the nature of hacking professionals, to hack the ‘unhackable’.

Thankfully in the case of these two hackers, they do it from a place of helping others, rather than to be malicious.

I’m sure hackers will take it as a challenge!

But those that do are more likely to do so from the same place as these 2: for the benefit of security.

Airplanes have two separate networks. Your phone watching an in air movie never touches the network that controls the aircraft systems. Same concept.

” A remote hacker wouldn’t be able to do jack sh!t with a car from the 1960s.” No, they just need a large flat screwdriver and you take the whole car.

Just run a SECURE OS. Did they write their own OS, that may be the problem. And no, removing features means you don’t know basic OS design.

Just make sure ring zero doesn’t have a back door put in by one of the developers.

If the car is 100% offline, how do you summon it with your cellphone? It seems the whole premise of the autonomous taxi is predicated on being able to connect wirelessly with something somewhere, so it seams it can still be hacked just as easily.

Impossible to remove all connections as you say. Only to limit the availability and use strong encryptions.

It can still be hacked. But not as easily. 🙂 Their goal is to just make it as difficult as possible.

They don’t mention summon. Just over the air updates to prevent the car from being reprogrammed on the fly. Not related to each other. The car is still online.

well, certainly would be hard for hackers to hack my bicycle or the horse down the street…

Agree on your bike. The horse one just clicks one’s tongue and holds out sugar cubes and voila!

Well, they certainly can’t do it without getting on my property while hiding their identity… Yes, they can be horse thief. =)

This is good, not only for security, but all the niceties that get put into a car are duplications of what we have in our pockets. Would much rather the car stay simple, and a stand alone screen could mirror my phone through a simple charging cable.

“In the car, passengers will only be able to interact via a separate stripped down tablet disconnected from the rest of the vehicle.”

Hell no, I am not getting in any autonomous car like that.
Too many things can go wrong in that scenario.

Leave it to the great GM apologist bro1999 to advocate for a car with 1960’s tech.

I’ve been programming for so long that most people here wouldn’t believe me if I mentioned that actual number of years.

And one of the clearest lessons I’ve learned: Commercial software development almost never focuses on basic security as much as it should. All the emphasis is on “getting it to work” and cramming in more features that most users won’t even know are there, let alone use. If you want to know how out of touch management is in many large software shops, look around at the endless discussions online about “how do I turn off feature X in program/OS Y?”

Until companies are held legally liable for security issues on a $/user basis, security will continue to be a bad joke.

Again, a good OS will isolate everything.
What are they running? “Fred’s OS”?

What OS are they running and what hardware?
Maybe the hardware can’t support a real OS.
Or, maybe GM saved a buck on the CPU and now can’t make it secure.

Seeing the interior without a wheel is still an attention getter.

They even removed the steering wheel to discourage carhackers, I mean carjackers 🙂

Sounds like spin. They’ve got a big OS problem of not being designed for security.

I wouldn’t even know where to sit without the steering wheel…lol.
Can’t wait for full AP!

nnnn nevermind