Can OnStar Resolve the Car Security Crisis?*

General Motors’ OnStar vehicle connectivity solution was once shared under license with Audi, Acura, Isuzu, Subaru, Lexus and Volkswagen – an offer which was later terminated. OnStar made a second (public) attempt at licensing its technology to competing auto makers in 2009, but subsequently pulled that offer back as well.

In view of the vehicle security and privacy crisis facing the auto industry, it may be time for OnStar to reconsider the licensing option - that is, if OnStar can firmly establish its security credentials. Outside of OnStar, the auto industry collectively stands like a deer in the headlights as reports of vehicle vulnerabilities multiply without a clear solution in sight.

But OnStar - itself - ended up in the headlights of the television program '60 Minutes' when a thinly disguised GM vehicle was used to demonstrate the ease with which vehicles may be hacked.

In retrospect, there are those that view OnStar's reversal of its licensing decision as a major mistake, a lost opportunity to dominate the connected car industry globally. Licensing will pose fundamental challenges to competing car companies and the architectural choices that they have made governing their connectivity systems along with the partnerships they have forged.

Driving a licensing strategy, though, is the global industry demand for an immediate solution to ongoing and embarrassing revelations regarding vehicle hacking. And security shortcomings will short circuit plans for self-driving cars. So, much is at stake.

In the wake of ADAC’s hack of BMW vehicles in Germany, it is clear that the challenge of vehicle security must be solved first before governments can comfortably welcome fleets of autonomous vehicles on public roadways. But yesterday’s release of U.S. Senator Edward Markey’s report on vehicle security and privacy concerns and Sunday’s ‘60 Minutes’ episode on “DARPA Dan” Kaufman reveals the U.S. government stepping into a leadership role on both fronts.

https://tinyurl.com/ncfelr6 - Markey Report Reveals Automobile Security and Privacy Vulnerabilities
https://tinyurl.com/p8429cq - 60 Minutes Episode on ‘DARPA Dan’ Kaufman

Markey’s report highlights the lack of coherent and consistent privacy policies in the automotive industry – in the context of an industry that is culling massive amounts of data from its vehicles and enabling unfettered access to increasing volumes of that data to third parties. But of greater concern is the porous state of vehicle security, where the industry has either chosen to hide its head in the sand or, worse, confidently claimed to have a handle on the problem without actually recognizing its scope – Exhibit A: BMW and, now, GM.

Most interesting is that in the ‘60 Minutes’ episode focused on the Defense Advanced Research Projects Agency’s efforts to combat hackers attacking government and private agencies, CBS chose to highlight what some might regard as the lowest priority target – the automobile. Nevertheless, the hacked car has clearly become the most popular point of vulnerability to use when trying to rouse the concern of the general public.

Both the Markey report and the ‘60 Minutes’ episode point to the following conclusion:

1. We must resolve the issue of vehicle security before tackling autonomous driving
2. There is a role for the government, but that role likely lies in DARPA – or maybe NASA – NOT NHTSA (U.S. National Highway Traffic Safety Administration)
3. Vehicle connectivity is the solution, not the problem

Vehicle security virtually mandates vehicle connectivity. Wireless vehicle connections are necessary to properly secure vehicles and enable vehicles to preserve that security with the ability to receive updates of prophylactic code. Wireless connections are also necessary for vehicles to be able to communicate when intrusions have occurred.

The Markey report and the ‘60 Minutes’ episode also highlight how far ahead of the entire industry OnStar remains – 18 years after its launch. Only OnStar (and Porsche) have the ability to enable the remote slowdown and immobilization of one of its cars in the event of a theft. This feature now stands out in the context of the security vulnerability as a default safety response.

OnStar, in addition to Tesla, also stands out for its perfection of software updates – a pre-requisite for ensuring up-to-date on-board software code. In effect, OnStar’s fundamental architecture anticipated and provided for secure connectivity across the entire GM line up.

This is not to say that OnStar hasn’t doubled down on its existing security solution. Indications from the Renaissance Center, GM's headquarters, is the the company is hard at work hardening its platform in anticipation of the launch of its next generation. The next step for OnStar and, in fact, the entire industry, is to enable the telematics control unit to act as or be connected to a central vehicle hub or “brain” to monitor all systems on the vehicle network for intrusions.

Here it is worth noting that the IOactive vision of segregated vehicle systems as recommended by that company in 2014 to enhance security, runs counter to the current industry shift toward integration.

It remains to be seen whether OnStar, like Tesla, will choose to share or license its security secrets with the industry. In fact, there is a wide open opportunity for any of a dozen entities to bring a solution to market. But OnStar maintains a technological edge after 18 years and has shown previous interest in licensing its technology.

It’s worth noting that, in the end, the core value proposition that ultimately distinguishes OnStar might not be Wi-Fi or apps. It may yet be the safety and security that have always been hallmarks of the OnStar brand.

*This blog was revised @ noon EST Feb. 10 to reflect more accurate information regarding the current state of OnStar vulnerability.