Hacker Shows How to Locate, Unlock, Start GM Cars with a Hacked Mobile App

As the dates for the Black Hat and Def Con Hacking Conference are approaching closer and closer, we are hearing more and more about the vulnerabilities and security flaws in the things we are highly dependent in our day-to-day life.

Last week we reported about how two hackers while sitting on their comfy sofas, managed to hack the onboard entertainment system of Jeep Cherokee, remotely controlling the vehicle and disable its brakes too.

Image Source: Samy Kamkar
Image Source: Samy Kamkar

Now, we have brought you another vehicle-related security flaw. And this time, on the hacker’s target list is the GM vehicles!

A privacy and security researcher and a computer hacker who goes by the name Samy Kamkar has built a gadget for about $100 that according to the hacker himself, enabled him to hack into any GM vehicle equipped with the OnStar system. He gave his gadget a name too, he called it OwnStar.

This small and high-tech gadget let the hacker to remotely locate, unlock and start the vehicle, basically allowing him to perform all those tasks that exactly what the OnStar system does!

Hacker Kamkar shows how he can control a Chevy Volt after hacking the OnStar mobile app

This small but highly vulnerable $100 security hack is coming from the same guy who previously used a toy to hack and open garage doors within a matter of seconds.

What is OnStar and RemoteLink

This section will be helpful for those of you who don’t know about OnStar and RemoteLink.

GM offers its customers with a couple of high-tech features so that the customers can keep track of their vehicle’s status, remotely. And even perform some basic operations without physically touching their vehicle.

OnStar is a subscription-based in-car service provided by GM to enhance the security of the vehicle, provide the customer with hands-free calling option, perform remote diagnostics of the vehicle and even offer a turn-by-turn navigation system.

The device on the left side is hacker’s OwnStar which he used during the interception of smartphones nearby using the same OnStar mobile app. As you can see the device on the right side shows user’s mobile phone connected to the RemoteLink app.

And on the other hand, RemoteLink which is a part of OnStar, is actually a mobile app that connects the vehicle’s OnStar system with the smartphone which results in an amplified range to perform all those tasks wirelessly. But the app offers some other functions too like remote unlocking and remotely starting the vehicle. Apart from that, the user can even sound the horn and turn on/off the headlights.

OwnStar and Its Working

The working of OwnStar is really simple. The gadget acts as a Wi-Fi hotspot which interrupts all the commands sent by the driver’s OnStar RemoteLink mobile application, once these commands are intercepted, an unauthorized user will be allowed to remotely locate, unlock and even start the vehicle.

But, in order to make this hack practical, a hacker must have to place the OwnStar gadget somewhere inside the OnStar equipped vehicle and then wait for the vehicle user to open the OnStar app. Since Kamkar’s gadget intercepts the Wi-Fi commands which is why its proximity matters.

Once the vehicle user operates the OnStar app, his smartphone will automatically get linked with the hotspot network provided by OwnStar, ultimately allowing the hacker to gain access to all the vehicle owner’s information including personal details as well as the basic controls of the vehicle.

GM’s Response and the Security Fix

GM was really quick in responding to the vulnerability. Unlike others, he responded within a few hours after the news was published. He said that the company was aware of the vulnerability and the patch has already been released which was meant to secure the back-end of the RemoteLink app. This way the vehicle owners won’t have to update their smartphones.

“We did consider the option of an app update, but focused primarily on a path that would allow us to make changes on the back-end that would allow the fix to be immediate, without the need for customer action.”

But to our surprise, Kamkar responded that the RemoteLink patch released by GM has still not resolved the bug and the service is still vulnerable. He also added that he is currently working with the GM team to fix this security bug.

Later, GM said that an update to their RemoteLink app will be required which will eventually fix the vulnerability. According to the statement:

“GM takes matters that affect our customers’ safety and security very seriously. GM product cybersecurity representatives have reviewed the potential vulnerability recently identified. In working with the researcher, we moved quickly to secure our back-office system and reduce risk. However, further action is necessary on the RemoteLink app itself. We take all cyber matters seriously and an enhanced RemoteLink app will also be made available in app stores soon to fully mitigate the risk.”

OnStar also responded via Twitter that an enhanced version of RemoteLink app will be released “soon”.

What Vehicle Owners Should Do

Kamkar told TechInsider that the car manufacturers are new into the field of the Internet and they are not investing much into the security sector which is the reason why they are facing such issues.

“Before the attack surface was much smaller. The only people who could communicate with your car typically had to have physical access, like someone who was inside your car. This is new territory for car manufacturers, I believe. So I think that is why they are not investing as much as they should in security.”

Since GM and the security researcher is working as a team to release a fix for this second major vehicle-based hack, those consumers who are really concerned about their vehicle’s safety can always disable the features provided by OnStar until patches are released by the company.

Apart from that, sadly, there is nothing much you can do about it.

OwnStar Video Demo

Kamkar also published a video which demonstrates the working of OwnStar, but he has planned to reveal more about his findings in the upcoming DefCon Conference scheduled next week.

Report typos and corrections to [email protected]

Related Posts