White hat hacker: GM’s OnStar app is still vulnerable

31 Jul 2015 | Author: | No comments yet »

GM says its cars are already protected against the OnStar hack.

The world of connected cars is supposed to be a safer place—an environment where sensors and software help drivers navigate the roads more safely. BOSTON/DETROIT: A researcher is advising drivers not to use a mobile app for General Motors Co’s OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to unlock cars and start engines remotely. “White-hat” hacker Samy Kamkar posted a video saying he had figured out a way to “locate, unlock and remote-start” vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service. Kamkar said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities. Earlier today, Wired revealed a vulnerability in General Motors’ Onstar system, letting attackers effectively hijack the system to gain control of the car — but just hours after publication and days after the vulnerability was disclosed, General Motors says the problem is already fixed.

Kamkar released the video a week after Fiat Chrysler Automobiles recalled some 1.4 million vehicles after hacking experts demonstrated a more serious vulnerability in the Jeep Cherokee. According to a General Motors representative, a fix was implemented last night in the servers that communicate with the OnStar app, instituting stronger certificate controls and effectively locking out remote attacks like the one detailed by Wired. “We did consider the option of an app update,” the representative said, “but focused primarily on a path that would allow us to make changes on the back-end that would allow the fix to be immediate, without the need for customer action.” As a result, drivers won’t need to update their phones, and the changes can take immediate effect.

GM spokesman Terrence Rhadigan told Reuters via email that the company was preparing an update to the RemoteLink app that would address the vulnerability. “It’s days away,” Rhadigan said. When asked via e-mail if it was safe to use the app before an update is released, Rhadigan said: “We believe the chances of replicating this demonstration in the real world are unlikely.

GM’s RemoteLink app started as a feature for Chevrolet Volt owners to remotely check the status of their vehicle’s battery life, according to the company. The idea expanded and connected with OnStar to give drivers up-to-date vehicle information such as oil level, tire pressure, fuel level, and lifetime miles per gallon. So, while this latest attack might not be as dangerous as someone taking over your car, it does show one more way a hacker can gain access to personal data. The OwnStar hacking device lets the attacks do just about anything—horns, lights, unlocking, and starting—to the car except put it in gear and drive away. Kamkar recommends consumers not open the app until an update has been issued. “The systems work is done, which was a major step to ensure security for customers,” Rashid-Merem said in an email. “To fully mitigate the issue, we are also doing a RemoteLink app update which will be available in app stores soon.” GM is hardly a newcomer to connected cars.

The company has also put Wi-Fi into dozens of new Buick, Chevrolet, Cadillac, and GMC models, thanks to an AT&T 4G radio module that gives users a high-speed link comparable to what you might experience on the latest Samsung Galaxy or 4G iPad. The recent formation of the Alliance of Automobile Manufacturers (AAM)—an alliance of 12 automakers including Ford F -0.73% , General Motors , and Mercedes-Benz—couldn’t have come any sooner.

Here you can write a commentary on the recording "White hat hacker: GM’s OnStar app is still vulnerable".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts


ICQ: 423360519

About this site