General Motors (GM) has recalled millions of vehicles on account of a software fault. The automotive giant will recall 4.28 million vehicles globally, the large majority of which will be in the US.
This software problem affects a whole range of cars including Buicks, Chevrolets and Cadillacs, all apparently made by GM.
The US National Highway Traffic Safety Administration published an advisory on 8 September saying that the fault could affect up to 3,640,162 vehicles. The advisory noted, “In the affected vehicles, certain driving conditions may cause the airbag sensing and diagnostic module (SDM) software to activate a diagnostic test.”
During the aforementioned diagnostic test, the frontal airbags and seatbelt pretensioners would not deploy, leading to a potentially catastrophic situation and grave injury to the passengers.
The 573 safety recall report explained further that, “the supplier of the SDMS included a diagnostic ‘oscillation test' routine in its SDM software which can be improperly activated by pre-crash vehicle dynamics and which can, in rare circumstances, interfere with the SDM's proper deployment of front airbags or pretensioners as required.”
The issue started when a 2014 Chevrolet Silverado truck crashed in May. GM promptly opened an investigation in which the company's investigator found that several other models were subject to the same fault. It finally came to a conclusion late last month when GM decided to perform a safety recall.
The repairs will be free and owners of the listed vehicles have been encouraged to take their cars to the nearest dealers so GM can reflash the SDM software.
Some have criticised GM for not allowing over the air (OTA) updates to fix these kinds of problems.
Security researcher Scott Helme told Infosecurity magazine that “unfortunately for GM it seems that they don't have any OTA update capabilities”.
“As vehicles continued to adopt more and more complex software systems I think it's essential that they are able to receive OTA updates, especially in a case like this where the update is safety critical.”
Cesare Garlati, chief security strategist for the prpl Foundation told SCMagazineUK.com that OTA updates can often bring in more problems than it solves: “as automobiles become more reliant on embedded technology, security of these systems has to come further up the agenda or more (albeit unnecessary) accidents are inevitable.”
“What is needed in the embedded systems that allow our cars to become connected is a solid foundation built on a root of trust, secure boot and virtualisation. And it has to be open source in order to work and be transparent and interoperable.”
Stephen Morrow, principal security consultant at SQS told SC that this is “basically another example of manufacturers getting it wrong in terms of the software within their vehicles.”
This, added Morrow, “is going to continue to get worse unless manufacturers take it seriously.”
“If this is the sort of thing that is happening by accidents, just think about the things the bad guys could do with intent,” he concluded.It was only a couple of months ago that GM issued a preliminary recall for certain 2007-2011 trucks and SUVs for another problem with passenger-side airbags.