Researcher says can hack GM’s OnStar app, open vehicle, start engine

30 Jul 2015 | Author: | No comments yet »

GM patches OnStar hacking vulnerability.

Update 7/30/2015 11:30am EST: GM tells WIRED that it has now fixed the vulnerability that Kamkar’s proof-of-concept device exploited, with no action necessary for OnStar users.Not content with scaring the bejesus out of Chrysler owners, Wired has uncovered a hacker who says he can open a GM car with OnStar, start it or track it remotely.After intercepting communications between a smartphone running the OnStar RemoteLink app and the OnStar servers, Kamkar is able toto locate, unlock and remote start vehicles. Earlier today, Wired revealed a vulnerability in General Motors’ Onstar system, letting attackers effectively hijack the system to gain control of the car — but just hours after publication and days after the vulnerability was disclosed, General Motors says the problem is already fixed.

According to a General Motors representative, a fix was implemented last night in the servers that communicate with the OnStar app, instituting stronger certificate controls and effectively locking out remote attacks like the one detailed by Wired. “We did consider the option of an app update,” the representative said, “but focused primarily on a path that would allow us to make changes on the back-end that would allow the fix to be immediate, without the need for customer action.” As a result, drivers won’t need to update their phones, and the changes can take immediate effect. GM’s Onstar service offers some of the most futuristic features on any connected car, including the ability to locate the vehicle, unlock it, and even start its ignition—all from a smartphone app. But if a hacker like Samy Kamkar has hidden a small, $100 box anywhere on your Onstar-equipped car or truck, those same conveniences could fall into unintended hands. From there, it obtains the digital keys it needs to control the vehicle at any time, passes those on to the attacker and boom, instant indefinite access.

The company has already implemented the fix, which apparently required server-side changes rather than new software installed to the vehicle itself. “GM product cybersecurity representatives have reviewed the potential vulnerability recently identified by Mr. Kamkar, and a fix has already been implemented to address this concern,” GM said in a statement to The Detroit News. “No additional action is required by our customers.” The issue has surfaced a week after Fiat Chrysler Automobiles dealt with a similar situation involving its Uconnect infotainment systems. Assuming the user logged onto the phony network and launched the GM RemoteLink app, Kamkar’s hack could retrieve the car’s data, including position.

With the user’s RemoteLink login credentials, Kamkar says a hacker could patiently track a vehicle, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. The company initially handled the problem quietly, crafting a software update to protect the infotainment systems, however the fix was later elevated to a formal safety recall affecting 1.4 million vehicles. Kamkar posted a video on Thursday that showed how the device works, but he plans to reveal more details how the hack works at the big security conference Defcon next week. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account. Kamkar demonstrates parts of the attack in the video above, in which he tested the attack on a friend’s 2013 Chevy Volt.1 Kamkar cautions that he’s only tried his OwnStar attack on that friend’s Volt.

But he believes the hack likely works with any RemoteLink-enabled vehicle: It takes advantage of an authentication problem in the OnStar smartphone app, not a vulnerability specific to any vehicle. Already, researchers Charlie Miller and Chris Valasek have demonstrated to WIRED that they could wirelessly hack a Jeep or any of hundreds of thousands of Chrysler vehicles over the Internet to control steering, brakes and transmission. Kamkar’s hack shows that the same connected features in other vehicles likely have their own vulnerabilities. “We need to start paying attention to this, or cars will continue to get owned,” he says.

Here you can write a commentary on the recording "Researcher says can hack GM’s OnStar app, open vehicle, start engine".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site