GM Vehicles Can Be Located, Unlocked, Started Remotely Via OnStar App

White Hat hacker Samy Kamkar's OwnStart device latest to show up vulnerabilities in modern vehicles

[UPDATED with GM comments]

In another demonstration of how vulnerable modern vehicles are to external tampering, a hacker has shown how to locate, unlock, and remotely start any GM vehicle equipped with an OnStar RemoteLink app.

In a YouTube video posted Thursday, white hat hacker Sanjay Kamkar used a device he calls "OwnStar" to intercept communications between a user’s OnStar mobile app and the OnStar cloud service. He then showed how an attacker could send specially crafted packets to the user’s mobile device to gain access to additional credentials describing the connected vehicle’s location, make, and model.

With that information on hand, an attacker can use the intercepted OnStar app’s remote unlock and remote start functions to take over the vehicle, he said. Any GM vehicle owner who fires up the OnStar mobile app in the proximity of OwnStar device is vulnerable to the attack, Kamkar says. He urged GM owners not to use the OnStar Remotelink mobile app until the company has a fix for the problem.

“Fortunately the problem lies with the mobile software and is not a problem with the vehicles themselves,” Kamkar says. “GM and OnStar have so far been receptive to me and are already working quickly on a resolution to protect consumers.”

In an emailed statement to Dark Reading, a GM spokesperson said the company's product cybersecurity representatives had reviewed the vulnerability and secured an unspecified back-office system to reduce risk. That step required no customer action, the spokesman said. But continued testing identified that further action was necessary on the Apple iOS version of RemoteLink app. "That step has now been taken and an update is now available via Apple’s App Store," the spokesperson said.

OnStar will alert affected GM customers about the the previous version of the app being decommissioned. "No additional action is required for Android, Windows Phone and Blackberry users," the GM spokesperson said.

Kamkar described his YouTube demonstration as a sneak peek and promised more details on the exploit and other car-related attacks and tools over the coming weeks at the DEF CON security conference and other venues.

Kamkar’s exploit is the second one targeted at smart cars in recent days. Earlier this month, noted car hackers Charlie Miller and Chris Valasek demonstrated how attackers could take complete remote control of a Jeep Cherokee’s braking, steering, and other critical systems through the vehicle’s entertainment system.

As part of the demonstration, the two hackers showed how they could kill the Jeep’s transmission remotely from 10 miles away while the vehicle was traveling at 70 miles per hour, causing the accelerator to stop working. The two hackers also disabled the vehicle’s brakes and toyed with the vehicle’s air conditioning, entertainment, and wiper systems to show how an attacker could take complete control of many critical functions of the vehicle by gaining access to its entertainment system.

The unnerving demonstration quickly prompted Fiat Chrysler Automobiles to issue a recall of some 1.4 million vehicles—covering seven vehicle models--equipped with certain radios. The company also implemented fresh network-level security measures to prevent the sort of remote manipulation that was demonstrated by the two hackers.

Chrysler described the attack as one requiring very sophisticated hacking skills and a highly detailed technical knowledge. But it was enough to stir major concerns among lawmakers and other car manufactures as well.

Kamkar’s demonstration is almost certain to fuel those concerns ever further and prompt closer scrutiny of the measures that major automakers are taking to protect modern, highly connected vehicle against remote attacks.

Concerns over car hacking are not new. Dramatic as the latest demonstrations by Kamkar, Miller, and Valasek have been, there were several others in recent years that have highlighted similar weaknesses.

In 2013, for instance, Miller and Valasek themselves demonstrated how attackers could remotely send malicious commands to a vehicle’s electronic control unit and cause problems with its braking, acceleration, steering, and tire pressure systems.

Concerns spawned by that demonstration prompted Sen. Edward Markey (D-MA) to send a letter to the CEOs of 20 major automakers asking for information on potential vulnerabilities in their vehicles to hacker attacks.

The responses from the automakers showed that 100 percent of modern vehicles are equipped with wireless technologies that are vulnerable to security and privacy intrusions, Markey’s office said in a report released earlier this year. The responses also showed that most automakers are unaware or unable to report on past hacking incidents and had inconsistent or haphazard measures for preventing remote access to vehicle electronics.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading: