GM quickly issues fix for OnStar hack, but service still vulnerable

30 Jul 2015 | Author: | No comments yet »

Hacker Claims To Be Able To Take Control Of Any General Motors Car With OnStar.

Update 7/30/2015 11:30am EST: GM tells WIRED that it has now fixed the vulnerability that Kamkar’s proof-of-concept device exploited, with no action necessary for OnStar users. While Fiat Chrysler recalled nearly 1.4 million vehicles and issued a patch related to some of its internet-connected cars, another automaker is now sitting in the precarious spot of potential hijack victim, as a hacker claims he can commandeer any of the company’s vehicles as long as they come with the OnStar system.

GM’s Onstar service offers some of the most futuristic features on any connected car, including the ability to locate the vehicle, unlock it, and even start its ignition—all from a smartphone app. But if a hacker like Samy Kamkar has hidden a small, $100 box anywhere on your Onstar-equipped car or truck, those same conveniences could fall into unintended hands. Once the car is in range of the OwnStar device – Samy doesn’t specify what the range of the device is – the hacker is able to gain access to a user’s credentials, allowing indefinite access to the vehicle. Samy points out in the video that the vulnerability actually lies in the mobile software utilized by the service and not the actual General Motors vehicle. “GM Product Cybersecurity representatives have reviewed the potential vulnerability recently identified by [Samy], and a fix has already been implemented to address this concern. With the user’s RemoteLink login credentials, Kamkar says a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside.

Despite GM’s assurance that everything has been fixed, Samy suggests users of OnStar refrain from opening the app in their vehicle until they explicitly receive an update. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account. But he believes the hack likely works with any RemoteLink-enabled vehicle: It takes advantage of an authentication problem in the OnStar smartphone app, not a vulnerability specific to any vehicle.

Kamkar says he’s contacted GM Onstar to help the company fix the problem, which he believes could be achieved through a simple update of its RemoteLink app, and had an initial conversation with the company’s security team Wednesday. Already, researchers Charlie Miller and Chris Valasek have demonstrated to WIRED that they could wirelessly hack a Jeep or any of hundreds of thousands of Chrysler vehicles over the Internet to control steering, brakes and transmission. Kamkar’s hack shows that the same connected features in other vehicles likely have their own vulnerabilities. “We need to start paying attention to this, or cars will continue to get owned,” he says. In fact, Kamkar, a serial hacker who has recently revealed hacks for garage doors, combination locks and drones, also plans to reveal a second set of security vulnerabilities in cars’ digital key systems.

Here you can write a commentary on the recording "GM quickly issues fix for OnStar hack, but service still vulnerable".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site