As security researchers get better at finding vulnerabilities in connected cars, some automakers are getting better at patching them too. Earlier today, Wired revealed a vulnerability in General Motors' Onstar system, letting attackers effectively hijack the system to gain control of the car. Just hours after publication and days after the vulnerability was disclosed, General Motors made a server-side fix that addressed the issue for Android, BlackBerry and Windows Phones, but absent an app-store initiated update, iOS users are still vulnerable to the attack.
"Impacted customers will receive a communication from OnStar today and the previous version of the app will be decommissioned following that communication to ensure customer security," a GM representative said in a statement. General Motors had initially dismissed an app-based update as inefficient, but later research by Samy Kamkar, the bug's original discoverer, showed the fix was not effective for users connecting through iOS.
OwnStar update: I just confirmed @OnStar has resolved the vulnerability with the RemoteLink app update released today! Great turnaround!— Samy Kamkar (@samykamkar) July 31, 2015
It's a reminder of how effective software maintenance can be in keeping a system secure, and how complicated an effective update can be. Vulnerabilities are inevitable in any connected system, and those vulnerabilities only become dangerous when they go unpatched. "We view the work he and other security researchers as an important piece of making in-vehicle systems more secure," the representative said.
7/31 3:18PM ET: An earlier version of this article stated that the server-side patch was sufficient to protect all users. The article was updated after further testing revealed the limitations of GM's initial patch.