Update, Friday July 31: OnStar has issued a mobile app update for the iOS version of RemoteLink that closes the vulnerability used in the attack described in this article. GM customers with OnStar-equipped vehicles should install the application update as soon as possible to reduce risk of attack. Users of RemoteLink on other mobile platforms don't need to take any action, according to OnStar.

Samy Kamkar, a Los Angeles-based security researcher and hardware hacker, has created a device called OwnStar that can find, unlock, and remote start General Motors cars equipped with OnStar. The hack, which is based on an exploit of OnStar's mobile software communications channel, exposes the credentials of a car's owner when it intercepts communications with OnStar's service. The device will be demonstrated at next week's DefCon security conference in Las Vegas.

The OwnStar device can detect nearby users of the OnStar RemoteLink application on a mobile phone and can then inject packets into the communication stream to the phone, getting it to give up additional information about the user's credentials. Those credentials can then be used to gain access to the vehicle's OnStar account and the full functionality of the OnStar RemoteLink app.

Kamkar says the vulnerability is in the app itself and not the OnStar hardware in GM vehicles. He added that GM and OnStar are working to correct the flaw in the vulnerable mobile application. GM customers who use OnStar can protect themselves for the time being by not using the RemoteLink app.

Full technical details on the hack will be presented at DefCon.

OnStar had issues in 2012 with its web APIs for mobile applications after a Volt enthusiast Mike Rosack reverse-engineered the OnStar interface for getting to RemoteLink data for Chevy Volt energy efficiency data. The company shut down the API, because it allowed Rosack to pull other drivers' data out of OnStar's private cloud and store it on his Volt Stats web server. But OnStar developed a new protocol that allowed owners of vehicles to opt-in to data tracking through Volt Stats through OAuth authentication.