GM issues fix for OnStar hack

1 Aug 2015 | Author: | No comments yet »

GM says its cars are already protected against the OnStar hack.

As security researchers get better at finding vulnerabilities in connected cars, some automakers are getting better at patching them too. On Friday afternoon, GM OnStar announced a software update to its RemoteLink app for iPhone to patch a security vulnerability that could have been used from across the internet to track GM vehicles, unlock their doors, start their ignitions, and even access the car owner’s email and address.

On the heels of a 1.4 million car recall by Fiat Chrysler to patch hacker-exposed software, now comes word that a hacker made a $100 box he says can take over basic controls of an OnStar-equipped General Motors car. (GM says it’s already fixed the problem.Security researcher Samy Kamkar said he’s been able to remotely start car engines and operate other vehicle features from afar, releasing a proof-of-concept video of his research Thursday showing how a homemade computer device composed of a Wi-Fi hotspot and about $100 in parts can give hackers control over cars equipped with OnStar.BOSTON/DETROIT: A researcher is advising drivers not to use a mobile app for General Motors Co’s OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to unlock cars and start engines remotely. “White-hat” hacker Samy Kamkar posted a video saying he had figured out a way to “locate, unlock and remote-start” vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service. Earlier today, Wired revealed a vulnerability in General Motors’ Onstar system, letting attackers effectively hijack the system to gain control of the car — but just hours after publication and days after the vulnerability was disclosed, General Motors says the problem is already fixed. GM’s Onstar service offers some of the most futuristic features on any connected car, including the ability to locate the vehicle, unlock it, and even start its ignition—all from a smartphone app.

Kamkar said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities. According to a General Motors representative, a fix was implemented last night in the servers that communicate with the OnStar app, instituting stronger certificate controls and effectively locking out remote attacks like the one detailed by Wired. “We did consider the option of an app update,” the representative said, “but focused primarily on a path that would allow us to make changes on the back-end that would allow the fix to be immediate, without the need for customer action.” As a result, drivers won’t need to update their phones, and the changes can take immediate effect. But after Kamkar pointed out that the attack wasn’t blocked in his subsequent tests, the company has now also created a patch for its iOS app and says iPhone and iPad users should follow up by updating their RemoteLink app to fully protect their vehicles. “Based on our initial conversations with Samy, we made changes that did not require user interaction. It was frightening in that, unlike previous hackers who physically altered cars to allow them to be taken over remotely, the Jeep hackers controlled a car they hadn’t physically tampered with. But if a hacker like Samy Kamkar has hidden a small, $100 box anywhere on your Onstar-equipped car or truck, those same conveniences could fall into unintended hands.

Kamkar released the video a week after Fiat Chrysler Automobiles recalled some 1.4 million vehicles after hacking experts demonstrated a more serious vulnerability in the Jeep Cherokee. In our continued testing and conversations with him yesterday, we confirmed that [fix sufficed] for Android, Windows and Blackberry users but not for Apple iOS users,” wrote GM spokesperson Renee Rashid-Merem in a statement to WIRED. “GM takes matters that affect our customers’ safety and security very seriously… An update is now available via Apple’s App Store. GM spokesman Terrence Rhadigan told Reuters via email that the company was preparing an update to the RemoteLink app that would address the vulnerability. “It’s days away,” Rhadigan said. With the user’s RemoteLink login credentials, Kamkar says a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside.

By disguising the name of the malicious network running inside the OwnStar box to something innocent-looking like “attwifi,” the free Wi-Fi account often available at Starbucks, a hacker has better odds of tricking a phone with RemoteLink into automatically connecting. GM’s RemoteLink app started as a feature for Chevrolet Volt owners to remotely check the status of their vehicle’s battery life, according to the company. The idea expanded and connected with OnStar to give drivers up-to-date vehicle information such as oil level, tire pressure, fuel level, and lifetime miles per gallon. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.

Kamkar demonstrates parts of the attack in the video above, in which he tested the attack on a friend’s 2013 Chevy Volt.1 Kamkar cautions that he’s only tried his OwnStar attack on that friend’s Volt. Observers say carmakers, heretofore focused on loading vehicles up with digital connectivity, are starting to focus on security. “The fear mongering gets people to be diligent about this because you don’t want unintended consequences,” John Ellis told PC Magazine recently.

But he believes the hack likely works with any RemoteLink-enabled vehicle: It takes advantage of an authentication problem in the OnStar smartphone app, not a vulnerability specific to any vehicle. He was a global technologist at Ford and now runs the consultancy firm Ellis & Associates, the magazine said. “But it’s nowhere near this cataclysmic event that people keep hearing about, and the car companies are hiring security people and taking this more and more seriously.” Kamkar, the self-proclaimed OnStar hacker, said his goal is to raise awareness about the potential for hacking not just cars but all connected devices. “I do play Grand Theft Auto a lot, but my motivation isn’t to steal cars,” Kamkar said in the Wired story about his project. “I want to point out the lack of security here and the fact we need to pay more attention as we make more devices connected and quote ‘smart.’ The proof of concept is to show that it’s reasonably trivial for someone in my industry to do this.” “Why aren’t you stopping, honey?

Kamkarwrote on Twitter that the issue had yet to be resolved. “We believe the chances of replicating this demonstration in the real world are unlikely. So, while this latest attack might not be as dangerous as someone taking over your car, it does show one more way a hacker can gain access to personal data.

Though a GM spokesperson wouldn’t acknowledge the company’s failed fix Thursday, a tweet from GM’s OnStar twitter account noted that an “enhanced RemoteLink app will be available soon to fully mitigate the risk,” and the company announced its update today. The OwnStar hacking device lets the attacks do just about anything—horns, lights, unlocking, and starting—to the car except put it in gear and drive away. Earlier this month, WIRED revealed that security researchers Charlie Miller and Chris Valasek had wirelessly hacked a 2014 Jeep Cherokee, a demonstration that led to a recall for 1.4 million Chrysler vehicles. Kamkar, and an immediate fix is being implemented to address this concern.” Kamkar’s goal isn’t to use his attack to help thieves steal the contents of cars or unleash a remote honking-hack epidemic on GM vehicles. That’s a sign, he says, of just how inexperienced automakers are when it comes to cybersecurity, and just how many bugs may be left to find and fix in internet-connected cars. “We need to start paying attention to this,” he told WIRED earlier this week. “Or cars will continue to get owned.”

In fact, Kamkar, a serial hacker who has recently revealed hacks for garage doors, combination locks and drones, also plans to reveal a second set of security vulnerabilities in cars’ digital key systems. The recent formation of the Alliance of Automobile Manufacturers (AAM)—an alliance of 12 automakers including Ford F -1.79% , General Motors , and Mercedes-Benz—couldn’t have come any sooner.

Here you can write a commentary on the recording "GM issues fix for OnStar hack".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site