As the dates for the Black Hat and Def Con Hacking Conference are approaching closer and closer, we are hearing more and more about the vulnerabilities and security flaws in the things we are highly dependent in our day-to-day life.
Last week we reported about how two hackers while sitting on their comfy sofas, managed to hack the onboard entertainment system of Jeep Cherokee, remotely controlling the vehicle and disable its brakes too.
Now, we have brought you another vehicle-related security flaw. And this time, on the hacker’s target list is the GM vehicles!
A privacy and security researcher and a computer hacker who goes by the name Samy Kamkar has built a gadget for about $100 that according to the hacker himself, enabled him to hack into any GM vehicle equipped with the OnStar system. He gave his gadget a name too, he called it OwnStar.
This small and high-tech gadget let the hacker to remotely locate, unlock and start the vehicle, basically allowing him to perform all those tasks that exactly what the OnStar system does!
This small but highly vulnerable $100 security hack is coming from the same guy who previously used a toy to hack and open garage doors within a matter of seconds.
What is OnStar and RemoteLink
This section will be helpful for those of you who don’t know about OnStar and RemoteLink.
GM offers its customers with a couple of high-tech features so that the customers can keep track of their vehicle’s status, remotely. And even perform some basic operations without physically touching their vehicle.
OnStar is a subscription-based in-car service provided by GM to enhance the security of the vehicle, provide the customer with hands-free calling option, perform remote diagnostics of the vehicle and even offer a turn-by-turn navigation system.
And on the other hand, RemoteLink which is a part of OnStar, is actually a mobile app that connects the vehicle’s OnStar system with the smartphone which results in an amplified range to perform all those tasks wirelessly. But the app offers some other functions too like remote unlocking and remotely starting the vehicle. Apart from that, the user can even sound the horn and turn on/off the headlights.
OwnStar and Its Working
The working of OwnStar is really simple. The gadget acts as a Wi-Fi hotspot which interrupts all the commands sent by the driver’s OnStar RemoteLink mobile application, once these commands are intercepted, an unauthorized user will be allowed to remotely locate, unlock and even start the vehicle.
But, in order to make this hack practical, a hacker must have to place the OwnStar gadget somewhere inside the OnStar equipped vehicle and then wait for the vehicle user to open the OnStar app. Since Kamkar’s gadget intercepts the Wi-Fi commands which is why its proximity matters.
Once the vehicle user operates the OnStar app, his smartphone will automatically get linked with the hotspot network provided by OwnStar, ultimately allowing the hacker to gain access to all the vehicle owner’s information including personal details as well as the basic controls of the vehicle.
GM’s Response and the Security Fix
GM was really quick in responding to the vulnerability. Unlike others, he responded within a few hours after the news was published. He said that the company was aware of the vulnerability and the patch has already been released which was meant to secure the back-end of the RemoteLink app. This way the vehicle owners won’t have to update their smartphones.
“We did consider the option of an app update, but focused primarily on a path that would allow us to make changes on the back-end that would allow the fix to be immediate, without the need for customer action.”
But to our surprise, Kamkar responded that the RemoteLink patch released by GM has still not resolved the bug and the service is still vulnerable. He also added that he is currently working with the GM team to fix this security bug.
OwnStar update: GM told WIRED that OnStar bug was fixed, however it's not actually resolved yet. I spoke with GM & they're working on it now
— samy kamkar (@samykamkar) July 30, 2015
Later, GM said that an update to their RemoteLink app will be required which will eventually fix the vulnerability. According to the statement:
“GM takes matters that affect our customers’ safety and security very seriously. GM product cybersecurity representatives have reviewed the potential vulnerability recently identified. In working with the researcher, we moved quickly to secure our back-office system and reduce risk. However, further action is necessary on the RemoteLink app itself. We take all cyber matters seriously and an enhanced RemoteLink app will also be made available in app stores soon to fully mitigate the risk.”
OnStar also responded via Twitter that an enhanced version of RemoteLink app will be released “soon”.
@CNET We take all cyber matters very seriously. An enhanced RemoteLink app will be made available soon to fully mitigate the risk.
— OnStar (@OnStar) July 30, 2015
What Vehicle Owners Should Do
Kamkar told TechInsider that the car manufacturers are new into the field of the Internet and they are not investing much into the security sector which is the reason why they are facing such issues.
“Before the attack surface was much smaller. The only people who could communicate with your car typically had to have physical access, like someone who was inside your car. This is new territory for car manufacturers, I believe. So I think that is why they are not investing as much as they should in security.”
Since GM and the security researcher is working as a team to release a fix for this second major vehicle-based hack, those consumers who are really concerned about their vehicle’s safety can always disable the features provided by OnStar until patches are released by the company.
Apart from that, sadly, there is nothing much you can do about it.
OwnStar Video Demo
Kamkar also published a video which demonstrates the working of OwnStar, but he has planned to reveal more about his findings in the upcoming DefCon Conference scheduled next week.
Report typos and corrections to [email protected]
