Hacking GM’s OnStar Car App

By   Kevin Bocek
VP Security Strategy & Threat Intelligence , Venafi | Aug 13, 2015 07:00 pm PST

Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi commented on the OnStar hack can remotely unlock cars and start engines, GM claims to have a fix.

Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi :

“Just in time for Black Hat and DEF CON, it’s not shocking to see ethical hackers showing us how vulnerable automobiles and other IoT devices are. According to Frost & Sullivan research, cars have about 16 hack points. As automakers add more and more wireless connectivity and entertainment features to vehicles, vulnerabilities increase tenfold for hackers. Today’s car has about 100 microcomputers that controls everything from steering to breaks, to locks and acceleration.

What many don’t realise is that digital certificates and cryptographic keys underlie all of those systems to create trusted connections. All Internet of Things devices – from cars to smart watches to home alarm systems and more – all rely on keys and certificates, which are increasingly being misused by cybercriminals for nefarious purposes and man-in-the-middle attacks.

This week, security researchers plan to demonstrate how the GM OnStar application fails to validate SSL/TLS certificates which allows a bad guy to get in the middle and ultimately unlock and start cars. This is why certificate reputation is so critically important: companies need to know in real-time what’s good, bad, friend, or foe, when it comes to certificates. As billions of connected devices come online that drive, fly, keep us safe and keep us alive, the world will be much more dangerous and vulnerable unless we find a way to trust keys and certificates.”[su_box title=”About Venafi” style=”noise” box_color=”#336588″]VenafiVenafi is the Immune System for the Internet™ and protects the foundation of all cybersecurity—cryptographic keys and digital certificates—so they can’t be misused by bad guys in attacks. In today’s connected world, cybercriminals want to gain trusted status and remain undetected, which makes keys and certificates a prime target. Unfortunately, most security systems blindly trust keys and certificates. Venafi patrols across the network, on devices, and behind the firewall, constantly assessing which SSL/TLS, SSH, WiFi, VPN and mobile keys and certificates are trusted, protecting those that should be trusted, and fixing or blocking those that are not. As the market-leading cybersecurity company in Next Generation Trust Protection (NGTP) and a Gartner-recognized Cool Vendor, Venafi delivered the first Trust Protection Platform™ to protect keys and certificates and eliminate blind spots from threats hidden in encrypted traffic. As part of any enterprise infrastructure protection strategy, Venafi TrustAuthority™, Venafi TrustForce™, and Venafi TrustNet™ help organisations regain control over keys and certificates by establishing what is self and trusted on mobile devices, applications, virtual machines and network devices and out in the cloud. Venafi protects Any Key. Any Certificate. Anywhere™. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects your network, your business, and your brand. Venafi Threat Center also provides primary research and threat intelligence for attacks on keys and certificates. Venafi customers are among the world’s most demanding, security-conscious Global 5000 organisations in financial services, retail, insurance, healthcare, telecommunications, aerospace, manufacturing, and high tech. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners, and Origin Partners.[/su_box]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x