Hacker's Device Can Intercept OnStar's Mobile App and Unlock, Start GM Cars 54
Lucas123 writes: Security researcher Samy Kamkar posted a video today demonstrating a device he created that he calls OwnStar that can intercept communications between GM's RemoteLink mobile app and the OnStar cloud service in order to unlock and start an OnStar equipped car. Kamkar said that after a user opens the OnStar Remote Link app on his or her mobile phone "near the OwnStar device," OwnStar intercepts the communication and sends "data packets to the mobile device to acquire additional credentials. The OwnStar device then notifies the attacker about the new vehicle that the hacker has access to for an indefinite period of time, including its location, make and model. And at that point, the hacker can use the Remote Link app to control the vehicle. Kamkar said GM is aware of the security hole and is working on a fix.
not PwnStar? (Score:1)
Nt
No! (Score:5, Funny)
I for one, in Soviet Russia, didn't see this one coming
Re: (Score:1)
I found Cowboy Neal!
The ethical hacker. (Score:1)
Kamkar said GM is aware of the security hole and is working on a fix.
If he knows a fix is in the works why is he broadcasting his hack on YouTube? The OnStar client isn't a geek, doesn't follow every obscure hacker channel on YouTube, and doesn't read Computerworld.
Re: (Score:2)
Really though, this is something that GM should be notifying their vulnerable customers of, whether they follow obscure hacker channels or not.
GM is aware (Score:2)
Re: (Score:1)
It doesn't matter to me because GM sells products that I will avoid at all cost. Their cars are meant to expire after a set of metrics have been hit. And there's not much one can do about it. My buddy had his CTS stall on him once it hit 100,801KM on a 100,000KM warranty.
Back to topic: I am not surprised!
Re: (Score:2)
Ditto. Prove it, GM!
Re: (Score:2)
Re: (Score:2)
700k miles? On the same 1980's turbocharged engine? How many head gaskets have you blown through?
Re: (Score:2)
Re: (Score:1)
I am guessing Japanese. If I had to guess further I would say Supra.
Re: (Score:2)
Re: (Score:1)
Great call - I almost guessed Volvo as they hold the record. I love Saabs and Volvos. I have one each. ;)
When the Man In the Middle is You (Score:3)
Crazy that the phone is not just some kind of passthrough ,but instead somewhere in he binary contains enough rights to do anything it likes with your car... the device must be just convincing the app that OnStar said it was OK to use it's unlimited powers to unlock the car and start the engine or whatever.
On the other hand, perhaps that ALSO means the attack cannot work with any arbitrary car, but only with an instance of an app you have already paired to your car so it was given the right credentials? If so it's a much less serious attack than it would seem at first.
The real issue would be, if a rooted Android or iPhone device could have the car-specific credentials scraped, to use at a later time with thier own OnStar app.
Re: (Score:1)
Yeah I'm not convinced... I don't see anything in the video that appears to be anything other than the normal functionality of the RemoteLink app by an authorized user. All of the functions listed (remote start, vehicle location, etc) are all normal functions of the app. Under normal use, the app will ask for a PIN for any command with security repercussions, and further commands in the same session will not require a PIN. I'd be very interested to know whether this "hack" is somehow capturing that PIN,
Re: (Score:2)
Yeah I'm not convinced... I don't see anything in the video that appears to be anything other than the normal functionality of the RemoteLink app by an authorized user. All of the functions listed (remote start, vehicle location, etc) are all normal functions of the app. Under normal use, the app will ask for a PIN for any command with security repercussions, and further commands in the same session will not require a PIN. I'd be very interested to know whether this "hack" is somehow capturing that PIN, or whether this is nothing more than a replay attack. Could be nothing more than copying the current login session from one phone to another...
Also, the remote-start thing is way overhyped. Remote starting a Chevy Volt does nothing more than turn on the A/C. You can't actually start the car and drive away without pressing the Power button, at which point the vehicle will look for and interrogate a valid key fob.
The biggest question I have so far is how he's managing to intercept the data stream between the RemoteLink app and GM. Presumably it communicates via HTTP (though one would hope HTTPS) I doubt that little box is intercepting 3G/4G cellular data, so I suspect that this is only possible via an insecure WiFi connection.
I agree, the video doesn't really prove anything. It simply looks like he's using the app normally. I could make an identical video with my own Volt. I assume he's actually doing what he claims, but the lack of detail in the video means it isn't actually proof of anything.
The SIM800L seen in his device is a quad-band GSM module. He also has a Raspberry Pi and a RTL8187L wireless NIC in there. It seems like it's a MITM attack between the app and OnStar's servers, but the GSM module makes me think he mig
Re: (Score:2)
Thanks, that's a much better article. Knowing that this is a Wi-Fi MITM attack greatly reduces the impact, at least for people like me. I'm sure it's very easy for less knowledgeable folks to stumble onto a rogue AP, but I'm not too worried about that with my own personal setup.
I'm still a bit surprised that just opening the app triggers a login (where OwnStar can steal the credentials). As I said, none of the displayed status information updates automatically; if you're going to log me in, why not at le
Re: (Score:2)
Crazy that the phone is not just some kind of passthrough ,but instead somewhere in he binary contains enough rights to do anything it likes with your car... the device must be just convincing the app that OnStar said it was OK to use it's unlimited powers to unlock the car and start the engine or whatever.
On the other hand, perhaps that ALSO means the attack cannot work with any arbitrary car, but only with an instance of an app you have already paired to your car so it was given the right credentials? If so it's a much less serious attack than it would seem at first.
The real issue would be, if a rooted Android or iPhone device could have the car-specific credentials scraped, to use at a later time with thier own OnStar app.
The app/phone doesn't communicate directly with the car. The app communicates with the OnStar service via the Internet (you have the same functionality from their website), which then sends commands to the car via cellular data (previously VZW, switched to ATT for '15 with all the new LTE Wi-Fi hotspot stuff).
Re: (Score:2)
Mr. Braddock: Ben, this whole idea sounds pretty half-baked.
Benjamin: Oh, it's not. It's completely baked.
Re:This Screams, get real computers in cars. (Score:4, Interesting)
If your grandma's AOL-connected computer gets infected, it will at most become a nameless bot zombie and a minor nuisance. On other hand, under similar scenario your grandma's networked car, probably with her screaming in terror until the bitter end, could realistically become a remotely controlled weapon and seriously ruin everybody's day. Just consider than only a couple of big accidents can pretty much shut down an entire urban highway system, the bar for extreme mayhem in this case is much, much lower.
Re: (Score:1)
I imagine that they are thinking that this would be an option and "secure" by default. Keep in mind that no connected device is ever truly secure - ever. So, basically, you would have some sort of standardized information coming off the CANN-BUS and would read or manipulate it on your own. You would be able to configure a firewall and select access points and data restrictions based on policies. That sort of thing. It makes sense actually. I would actually love such a thing. I have an application that lets
Re: (Score:2)
Thing is, what you proposing is fundamentally is a feature bloat. It doesn't help you drive.
Re: (Score:1)
Not at all but it would be fun to play with.
Re: (Score:2)
Re: (Score:1)
I would have bought one of those.
The car thief version will be called GoneStar (Score:1)
Trust me grasshopper as I have foreseen it.
Onstar (Score:4, Insightful)
Onstar is basically GM having the balls to charge the customer for the equipment that GM uses to gather personal data and to sell navigation and other services that mostly your phone already does for free.
It boggles my mind how gullible people are. I'm amazed that people don't all just refuse to buy any car with Onstar in.
Re: (Score:2)
What if you don't want it?
Re: (Score:1)
Don't buy it and quite whinging. This is not complicated. You have choices. If you are so weak that you can not resist the shiny then, frankly, you get what you deserve. If there is a market for people who do not want such there will be cars available without such. In this case, avoid cars with OnStar. Other than that, try to keep up.
Re: (Score:2)
>> If there is a market for people who do not want such there will be cars available without such.
Not at all. In the US at least, government legislation, special interest groups like MADD and billions spent in advertising/brainwashing easily trump anything that goes against any mass-market convention, whatever it is.
>> Other than that, try to keep up.
Maybe its actually you that needs to try to not be a dick.
Re: (Score:1)
Nah, you will find a market. There will be people who spend more and more time taking old cars and restoring them to factory condition (or better). You won't get your new cars but you will get used ones that have lots of life and the added bonus that you can fix them. You can already do this. This will just be more common if there is a market.
Re: (Score:3)
Re: (Score:2)
I just checked with GM.
But for one single exception, literally every GM vehicle made including every model GMC, Buick, Cadillac and Chevvy comes with OnStar and you cannot buy the car without it.
The one single exception is the 2015 base model Chevvy Colorado. Good luck finding a base model.
Re: (Score:2)
(sorry, my initial comment probably needed more context)
Re: (Score:2)
Onstar is basically GM having the balls to charge the customer for the equipment that GM uses to gather personal data and to sell navigation and other services that mostly your phone already does for free.
It boggles my mind how gullible people are. I'm amazed that people don't all just refuse to buy any car with Onstar in.
While I agree with you, the point of OnStar IS to collect personal data about GM drivers, you must concede that OnStar came about long before smart phones and Google Maps on a mobile device. In fact, the service was launched in 1996 [wikipedia.org] for model year 1997 cars. The security holes and issues in OnStar have likely existed from the very beginning. Who knows how long they've been exploited for, but we can assume that the people who designed the hardware and software for OnStar had not yet learned the lessons a
GM aware of security hole and working on fix .. (Score:2)
iOS app update (Score:1)
OnStar RemoteLink v2.1 for iOS was released today. I can't verify this is the fix for this issue, only inferring it.
GM forces onstar on you (Score:3)
I just checked with GM customer service,
But for one single exception, every GM vehicle made including every model GMC, Buick, Cadillac and Chevvy comes with OnStar and you literally cannot buy the car without it.
The one single exception is the 2015 base model Chevvy Colorado. Good luck finding a base model.