Hacker discovers major vulnerability in GM cars, hijacks vehicle functions

1 Aug 2015 | Author: | No comments yet »

GM says its cars are already protected against the OnStar hack.

On Friday afternoon, GM OnStar announced a software update to its RemoteLink app for iPhone to patch a security vulnerability that could have been used from across the internet to track GM vehicles, unlock their doors, start their ignitions, and even access the car owner’s email and address.On the heels of a 1.4 million car recall by Fiat Chrysler to patch hacker-exposed software, now comes word that a hacker made a $100 box he says can take over basic controls of an OnStar-equipped General Motors car. (GM says it’s already fixed the problem.Security researcher Samy Kamkar said he’s been able to remotely start car engines and operate other vehicle features from afar, releasing a proof-of-concept video of his research Thursday showing how a homemade computer device composed of a Wi-Fi hotspot and about $100 in parts can give hackers control over cars equipped with OnStar. Earlier today, Wired revealed a vulnerability in General Motors’ Onstar system, letting attackers effectively hijack the system to gain control of the car — but just hours after publication and days after the vulnerability was disclosed, General Motors says the problem is already fixed.

Hacker Samy Kamkar says: “Nuh-uh!” and plans to show his results at a hacker conference next week.) Road and Track’s Robert Sorokanich pointed out that a recent demonstration of a hack of a Jeep Cherokee, written up in Wired magazine, was the result of months of research and planning. GM’s Onstar service offers some of the most futuristic features on any connected car, including the ability to locate the vehicle, unlock it, and even start its ignition—all from a smartphone app. According to a General Motors representative, a fix was implemented last night in the servers that communicate with the OnStar app, instituting stronger certificate controls and effectively locking out remote attacks like the one detailed by Wired. “We did consider the option of an app update,” the representative said, “but focused primarily on a path that would allow us to make changes on the back-end that would allow the fix to be immediate, without the need for customer action.” As a result, drivers won’t need to update their phones, and the changes can take immediate effect. It was frightening in that, unlike previous hackers who physically altered cars to allow them to be taken over remotely, the Jeep hackers controlled a car they hadn’t physically tampered with. But if a hacker like Samy Kamkar has hidden a small, $100 box anywhere on your Onstar-equipped car or truck, those same conveniences could fall into unintended hands.

In our continued testing and conversations with him yesterday, we confirmed that [fix sufficed] for Android, Windows and Blackberry users but not for Apple iOS users,” wrote GM spokesperson Renee Rashid-Merem in a statement to WIRED. “GM takes matters that affect our customers’ safety and security very seriously… An update is now available via Apple’s App Store. Impacted customers will receive a communication from OnStar today and the previous version of the app will be decommissioned following that communication to ensure customer security.” Kamkar had proven the existence of that OnStar vulnerability with a proof-of-concept device he plans to detail at the hacker conference DefCon next week. Is there a hacker out there who knows your Chrysler vehicle’s IP address, possesses masters-level computing skills, and has months to devote to reverse-engineering a way to take over your car? If the connection is successfully established, the car will then send sensitive user data over that network with the intent of supplying OnStar with second-by-second navigational details, the likes of which in actuality ends up in the hands of the hacker. “After a user opens the RemoteLink mobile app on their phone near my OwnStar device, OwnStar intercepts the communications and sends specially crafted packets to the mobile device to acquire additional credentials then notifies me, the attacker, about the vehicle that I indefinitely have access to, including its location, make, and model,” he explained in the clip. With the user’s RemoteLink login credentials, Kamkar says a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside.

By disguising the name of the malicious network running inside the OwnStar box to something innocent-looking like “attwifi,” the free Wi-Fi account often available at Starbucks, a hacker has better odds of tricking a phone with RemoteLink into automatically connecting. GM’s RemoteLink app started as a feature for Chevrolet Volt owners to remotely check the status of their vehicle’s battery life, according to the company. The idea expanded and connected with OnStar to give drivers up-to-date vehicle information such as oil level, tire pressure, fuel level, and lifetime miles per gallon. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account. Kamkar demonstrates parts of the attack in the video above, in which he tested the attack on a friend’s 2013 Chevy Volt.1 Kamkar cautions that he’s only tried his OwnStar attack on that friend’s Volt.

Observers say carmakers, heretofore focused on loading vehicles up with digital connectivity, are starting to focus on security. “The fear mongering gets people to be diligent about this because you don’t want unintended consequences,” John Ellis told PC Magazine recently. But he believes the hack likely works with any RemoteLink-enabled vehicle: It takes advantage of an authentication problem in the OnStar smartphone app, not a vulnerability specific to any vehicle. He was a global technologist at Ford and now runs the consultancy firm Ellis & Associates, the magazine said. “But it’s nowhere near this cataclysmic event that people keep hearing about, and the car companies are hiring security people and taking this more and more seriously.” Kamkar, the self-proclaimed OnStar hacker, said his goal is to raise awareness about the potential for hacking not just cars but all connected devices. “I do play Grand Theft Auto a lot, but my motivation isn’t to steal cars,” Kamkar said in the Wired story about his project. “I want to point out the lack of security here and the fact we need to pay more attention as we make more devices connected and quote ‘smart.’ The proof of concept is to show that it’s reasonably trivial for someone in my industry to do this.” “Why aren’t you stopping, honey?

Kamkarwrote on Twitter that the issue had yet to be resolved. “We believe the chances of replicating this demonstration in the real world are unlikely. So, while this latest attack might not be as dangerous as someone taking over your car, it does show one more way a hacker can gain access to personal data. The OwnStar hacking device lets the attacks do just about anything—horns, lights, unlocking, and starting—to the car except put it in gear and drive away. Kamkar says he’ll reveal more details about the OnStar security flaw, as well as other car-related attacks in future videos and at DefCon, an annual security conference to be held in Las Vegas next week.

GM’s product cybersecurity representatives have reviewed the recently identified potential vulnerability, spokeswoman Renee Rashid-Merem told Fortune, adding that the company hasn’t had any other reports of hacking the RemoteLink app aside from the demonstration by Kamkar. Earlier this month, WIRED revealed that security researchers Charlie Miller and Chris Valasek had wirelessly hacked a 2014 Jeep Cherokee, a demonstration that led to a recall for 1.4 million Chrysler vehicles. Kamkar, and an immediate fix is being implemented to address this concern.” Kamkar’s goal isn’t to use his attack to help thieves steal the contents of cars or unleash a remote honking-hack epidemic on GM vehicles.

Kamkar recommends consumers not open the app until an update has been issued. “The systems work is done, which was a major step to ensure security for customers,” Rashid-Merem said in an email. “To fully mitigate the issue, we are also doing a RemoteLink app update which will be available in app stores soon.” GM is hardly a newcomer to connected cars. That’s a sign, he says, of just how inexperienced automakers are when it comes to cybersecurity, and just how many bugs may be left to find and fix in internet-connected cars. “We need to start paying attention to this,” he told WIRED earlier this week. “Or cars will continue to get owned.”

The company has also put Wi-Fi into dozens of new Buick, Chevrolet, Cadillac, and GMC models, thanks to an AT&T 4G radio module that gives users a high-speed link comparable to what you might experience on the latest Samsung Galaxy or 4G iPad. In fact, Kamkar, a serial hacker who has recently revealed hacks for garage doors, combination locks and drones, also plans to reveal a second set of security vulnerabilities in cars’ digital key systems. The recent formation of the Alliance of Automobile Manufacturers (AAM)—an alliance of 12 automakers including Ford F -1.79% , General Motors , and Mercedes-Benz—couldn’t have come any sooner.

Here you can write a commentary on the recording "Hacker discovers major vulnerability in GM cars, hijacks vehicle functions".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts


ICQ: 423360519

About this site