Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Transportation Communications Hardware Hacking

Hacker's Device Can Intercept OnStar's Mobile App and Unlock, Start GM Cars 54

Lucas123 writes: Security researcher Samy Kamkar posted a video today demonstrating a device he created that he calls OwnStar that can intercept communications between GM's RemoteLink mobile app and the OnStar cloud service in order to unlock and start an OnStar equipped car. Kamkar said that after a user opens the OnStar Remote Link app on his or her mobile phone "near the OwnStar device," OwnStar intercepts the communication and sends "data packets to the mobile device to acquire additional credentials. The OwnStar device then notifies the attacker about the new vehicle that the hacker has access to for an indefinite period of time, including its location, make and model. And at that point, the hacker can use the Remote Link app to control the vehicle. Kamkar said GM is aware of the security hole and is working on a fix.
This discussion has been archived. No new comments can be posted.

Hacker's Device Can Intercept OnStar's Mobile App and Unlock, Start GM Cars

Comments Filter:
  • by Anonymous Coward

    Nt

  • No! (Score:5, Funny)

    by IMightB ( 533307 ) on Thursday July 30, 2015 @05:18PM (#50218687) Journal

    I for one, in Soviet Russia, didn't see this one coming

  • Kamkar said GM is aware of the security hole and is working on a fix.

    If he knows a fix is in the works why is he broadcasting his hack on YouTube? The OnStar client isn't a geek, doesn't follow every obscure hacker channel on YouTube, and doesn't read Computerworld.

    • On youtube, he didn't show how he does the hack, he merely shows that it's possible.

      Really though, this is something that GM should be notifying their vulnerable customers of, whether they follow obscure hacker channels or not.
  • prove it.
    • It doesn't matter to me because GM sells products that I will avoid at all cost. Their cars are meant to expire after a set of metrics have been hit. And there's not much one can do about it. My buddy had his CTS stall on him once it hit 100,801KM on a 100,000KM warranty.

      Back to topic: I am not surprised!

    • by antdude ( 79039 )

      Ditto. Prove it, GM!

  • Comment removed based on user account deletion
  • by SuperKendall ( 25149 ) on Thursday July 30, 2015 @05:47PM (#50218837)

    Crazy that the phone is not just some kind of passthrough ,but instead somewhere in he binary contains enough rights to do anything it likes with your car... the device must be just convincing the app that OnStar said it was OK to use it's unlimited powers to unlock the car and start the engine or whatever.

    On the other hand, perhaps that ALSO means the attack cannot work with any arbitrary car, but only with an instance of an app you have already paired to your car so it was given the right credentials? If so it's a much less serious attack than it would seem at first.

    The real issue would be, if a rooted Android or iPhone device could have the car-specific credentials scraped, to use at a later time with thier own OnStar app.

    • by Anonymous Coward

      Yeah I'm not convinced... I don't see anything in the video that appears to be anything other than the normal functionality of the RemoteLink app by an authorized user. All of the functions listed (remote start, vehicle location, etc) are all normal functions of the app. Under normal use, the app will ask for a PIN for any command with security repercussions, and further commands in the same session will not require a PIN. I'd be very interested to know whether this "hack" is somehow capturing that PIN,

      • Yeah I'm not convinced... I don't see anything in the video that appears to be anything other than the normal functionality of the RemoteLink app by an authorized user. All of the functions listed (remote start, vehicle location, etc) are all normal functions of the app. Under normal use, the app will ask for a PIN for any command with security repercussions, and further commands in the same session will not require a PIN. I'd be very interested to know whether this "hack" is somehow capturing that PIN, or whether this is nothing more than a replay attack. Could be nothing more than copying the current login session from one phone to another...

        Also, the remote-start thing is way overhyped. Remote starting a Chevy Volt does nothing more than turn on the A/C. You can't actually start the car and drive away without pressing the Power button, at which point the vehicle will look for and interrogate a valid key fob.

        The biggest question I have so far is how he's managing to intercept the data stream between the RemoteLink app and GM. Presumably it communicates via HTTP (though one would hope HTTPS) I doubt that little box is intercepting 3G/4G cellular data, so I suspect that this is only possible via an insecure WiFi connection.

        I agree, the video doesn't really prove anything. It simply looks like he's using the app normally. I could make an identical video with my own Volt. I assume he's actually doing what he claims, but the lack of detail in the video means it isn't actually proof of anything.

        The SIM800L seen in his device is a quad-band GSM module. He also has a Raspberry Pi and a RTL8187L wireless NIC in there. It seems like it's a MITM attack between the app and OnStar's servers, but the GSM module makes me think he mig

    • Crazy that the phone is not just some kind of passthrough ,but instead somewhere in he binary contains enough rights to do anything it likes with your car... the device must be just convincing the app that OnStar said it was OK to use it's unlimited powers to unlock the car and start the engine or whatever.

      On the other hand, perhaps that ALSO means the attack cannot work with any arbitrary car, but only with an instance of an app you have already paired to your car so it was given the right credentials? If so it's a much less serious attack than it would seem at first.

      The real issue would be, if a rooted Android or iPhone device could have the car-specific credentials scraped, to use at a later time with thier own OnStar app.

      The app/phone doesn't communicate directly with the car. The app communicates with the OnStar service via the Internet (you have the same functionality from their website), which then sends commands to the car via cellular data (previously VZW, switched to ATT for '15 with all the new LTE Wi-Fi hotspot stuff).

  • Trust me grasshopper as I have foreseen it.

  • Onstar (Score:4, Insightful)

    by JustNiz ( 692889 ) on Thursday July 30, 2015 @07:03PM (#50219347)

    Onstar is basically GM having the balls to charge the customer for the equipment that GM uses to gather personal data and to sell navigation and other services that mostly your phone already does for free.

    It boggles my mind how gullible people are. I'm amazed that people don't all just refuse to buy any car with Onstar in.

    • The target market is people who don't know how to use smartphones and such. My grandpa actually was annoyed that he couldn't get a car with onstar in it.
      • by JustNiz ( 692889 )

        I just checked with GM.
        But for one single exception, literally every GM vehicle made including every model GMC, Buick, Cadillac and Chevvy comes with OnStar and you cannot buy the car without it.

        The one single exception is the 2015 base model Chevvy Colorado. Good luck finding a base model.

        • But Kia doesn't make cars with OnStar last I checked, which is what he ended up buying because of reasons.

          (sorry, my initial comment probably needed more context)
    • Onstar is basically GM having the balls to charge the customer for the equipment that GM uses to gather personal data and to sell navigation and other services that mostly your phone already does for free.

      It boggles my mind how gullible people are. I'm amazed that people don't all just refuse to buy any car with Onstar in.

      While I agree with you, the point of OnStar IS to collect personal data about GM drivers, you must concede that OnStar came about long before smart phones and Google Maps on a mobile device. In fact, the service was launched in 1996 [wikipedia.org] for model year 1997 cars. The security holes and issues in OnStar have likely existed from the very beginning. Who knows how long they've been exploited for, but we can assume that the people who designed the hardware and software for OnStar had not yet learned the lessons a

  • Time and again we keep hearing about such defects. Did no one at GM even test the product against such security defects?
  • OnStar RemoteLink v2.1 for iOS was released today. I can't verify this is the fix for this issue, only inferring it.

  • by JustNiz ( 692889 ) on Friday July 31, 2015 @12:00PM (#50224367)

    I just checked with GM customer service,
    But for one single exception, every GM vehicle made including every model GMC, Buick, Cadillac and Chevvy comes with OnStar and you literally cannot buy the car without it.

    The one single exception is the 2015 base model Chevvy Colorado. Good luck finding a base model.

Trap full -- please empty.

Working...