UPDATE 1-Researcher says can hack GM’s OnStar app, open vehicle, start engine

31 Jul 2015 | Author: | No comments yet »

GM says its cars are already protected against the OnStar hack.

A researcher is advising drivers not to use a mobile app for General Motors Co.’s OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to unlock cars and start engines remotely. “White-hat” hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to “locate, unlock and remote-start” vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service. Update 7/30/2015 3:00pm EST: GM tells WIRED that it has now fixed the vulnerability that Kamkar’s proof-of-concept device exploited, with no action necessary for OnStar users. Kamkar said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities. Earlier today, Wired revealed a vulnerability in General Motors’ Onstar system, letting attackers effectively hijack the system to gain control of the car — but just hours after publication and days after the vulnerability was disclosed, General Motors says the problem is already fixed.

Kamkar released the video a week after Fiat Chrysler Automobiles recalled about 1.4 million vehicles after hacking experts demonstrated a more serious vulnerability in the Jeep Cherokee. According to a General Motors representative, a fix was implemented last night in the servers that communicate with the OnStar app, instituting stronger certificate controls and effectively locking out remote attacks like the one detailed by Wired. “We did consider the option of an app update,” the representative said, “but focused primarily on a path that would allow us to make changes on the back-end that would allow the fix to be immediate, without the need for customer action.” As a result, drivers won’t need to update their phones, and the changes can take immediate effect. GM’s Onstar service offers some of the most futuristic features on any connected car, including the ability to locate the vehicle, unlock it, and even start its ignition—all from a smartphone app.

But if a hacker like Samy Kamkar has hidden a small, $100 box anywhere on your Onstar-equipped car or truck, those same conveniences could fall into unintended hands. GM spokesman Terrence Rhadigan told Reuters via email that the company was preparing an update to the RemoteLink app that would address the vulnerability. “It’s days away,” Rhadigan said.

When asked via email if it was safe to use the app before an update is released, Rhadigan said: “We believe the chances of replicating this demonstration in the real world are unlikely. With the user’s RemoteLink login credentials, Kamkar says a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.

Kamkar demonstrates parts of the attack in the video above, in which he tested the attack on a friend’s 2013 Chevy Volt.1 Kamkar cautions that he’s only tried his OwnStar attack on that friend’s Volt. But he believes the hack likely works with any RemoteLink-enabled vehicle: It takes advantage of an authentication problem in the OnStar smartphone app, not a vulnerability specific to any vehicle. Kamkar says he’s contacted GM Onstar to help the company fix the problem, which he believes could be achieved through a simple update of its RemoteLink app, and had an initial conversation with the company’s security team Wednesday. Kamkar, and an immediate fix is being implemented to address this concern.” Kamkar’s goal isn’t to use his attack to help thieves steal the contents of cars or unleash a remote honking-hack epidemic on GM vehicles.

Kamkar’s hack shows that the same connected features in other vehicles likely have their own vulnerabilities. “We need to start paying attention to this, or cars will continue to get owned,” he says. In fact, Kamkar, a serial hacker who has recently revealed hacks for garage doors, combination locks and drones, also plans to reveal a second set of security vulnerabilities in cars’ digital key systems. Before focusing on GM OnStar, he adds that he had found yet another vulnerable automobile system that he had planned to speak about, but the company responsible for the flaws fixed them without his help. (Kamkar declined to reveal any more about that aborted research.) The fact that Kamkar was able to switch his focus to GM OnStar and within weeks find another gaping vulnerability shows how bountiful the flaws in cars’ internet security have become, Kamkar says. “It’s a wide-open field…the carmakers are new to this,” he says. “If you continue to look at other cars or really anything in the Internet of things, you’re going to continue to see massive issues.” 1Correction 7/30/2015 11:30am EST: An earlier version of this story said that the remote ignition could be used to drain the gas or fill a garage with carbon monoxide, but a GM spokesperson pointed out that the remote ignition only allows the engine to run briefly and doesn’t respond to repeated uses without the key present.

Here you can write a commentary on the recording "UPDATE 1-Researcher says can hack GM’s OnStar app, open vehicle, start engine".

* Required fields
Our partners
Follow us
Contact us
Our contacts


ICQ: 423360519

About this site