Hacker's Device Can Intercept OnStar's Mobile App and Unlock, Start GM Cars

Lucas123 writes: Security researcher Samy Kamkar posted a video today demonstrating a device he created that he calls OwnStar that can intercept communications between GM's RemoteLink mobile app and the OnStar cloud service in order to unlock and start an OnStar equipped car. Kamkar said that after a user opens the OnStar Remote Link app on his or her mobile phone "near the OwnStar device," OwnStar intercepts the communication and sends "data packets to the mobile device to acquire additional credentials. The OwnStar device then notifies the attacker about the new vehicle that the hacker has access to for an indefinite period of time, including its location, make and model. And at that point, the hacker can use the Remote Link app to control the vehicle. Kamkar said GM is aware of the security hole and is working on a fix.

not PwnStar?

Nt

Re:not PwnStar?

You Southie?

No!

[IMightB]

I for one, in Soviet Russia, didn't see this one coming

Re:No!

from a beowulf cluster of natalie portmans naked and petrified and covered in hot grits, netcraft confirms.

Re:No!

[KGIII]

I found Cowboy Neal!

The ethical hacker.

[westlake]

Kamkar said GM is aware of the security hole and is working on a fix.

If he knows a fix is in the works why is he broadcasting his hack on YouTube? The OnStar client isn't a geek, doesn't follow every obscure hacker channel on YouTube, and doesn't read Computerworld.

Re:The ethical hacker.

[phantomfive]

On youtube, he didn't show how he does the hack, he merely shows that it's possible.

Really though, this is something that GM should be notifying their vulnerable customers of, whether they follow obscure hacker channels or not.

GM is aware

[turkeydance]

prove it.

Re:GM is aware

Give me a day and they will be.

Someone had to have misconfigured a router and a server rule.

Re:GM is aware

[bogaboga]

It doesn't matter to me because GM sells products that I will avoid at all cost. Their cars are meant to expire after a set of metrics have been hit. And there's not much one can do about it. My buddy had his CTS stall on him once it hit 100,801KM on a 100,000KM warranty.

Back to topic: I am not surprised!

Re:GM is aware

[antdude]

Ditto. Prove it, GM!

Neat.

[ArylAkamov]

I was just talking about this with a friend of mine, along with the old BMW hack and the Jeep.

Thanks. I'll stick with my 1980's turbo shitbox. 700k miles and still boosting strong.

Re:Neat.

[wiggles]

700k miles? On the same 1980's turbocharged engine? How many head gaskets have you blown through?

Re:Neat.

[ArylAkamov]

Well, I bought it 5 years ago with the odometer stuck at just over 700k. Nobody really knows how many miles, but it runs smooth and compression test checks out. No head gaskets so far.

I actually bought and rebuilt an engine for it, but it just sits in the garage because this one just won't die. Starting to burn more and more oil though.

Re:Neat.

[KGIII]

I am guessing Japanese. If I had to guess further I would say Supra.

Re:Neat.

[ArylAkamov]

1986 Saab 900 SPG. Old Saabs and Volvos can go nearly forever if maintained, my mother has a 1979 volvo 242dl she's owned since she graduated highschool, still original everything.

Re:Neat.

[KGIII]

Great call - I almost guessed Volvo as they hold the record. I love Saabs and Volvos. I have one each. ;)

When the Man In the Middle is You

[SuperKendall]

Crazy that the phone is not just some kind of passthrough ,but instead somewhere in he binary contains enough rights to do anything it likes with your car... the device must be just convincing the app that OnStar said it was OK to use it's unlimited powers to unlock the car and start the engine or whatever.

On the other hand, perhaps that ALSO means the attack cannot work with any arbitrary car, but only with an instance of an app you have already paired to your car so it was given the right credentials? If so it's a much less serious attack than it would seem at first.

The real issue would be, if a rooted Android or iPhone device could have the car-specific credentials scraped, to use at a later time with thier own OnStar app.

Re:When the Man In the Middle is You

The good news is that the remote disable part of OnStar is not affected, which I was most afraid of.

Re:When the Man In the Middle is You

Yeah I'm not convinced... I don't see anything in the video that appears to be anything other than the normal functionality of the RemoteLink app by an authorized user. All of the functions listed (remote start, vehicle location, etc) are all normal functions of the app. Under normal use, the app will ask for a PIN for any command with security repercussions, and further commands in the same session will not require a PIN. I'd be very interested to know whether this "hack" is somehow capturing that PIN, or whether this is nothing more than a replay attack. Could be nothing more than copying the current login session from one phone to another...

Also, the remote-start thing is way overhyped. Remote starting a Chevy Volt does nothing more than turn on the A/C. You can't actually start the car and drive away without pressing the Power button, at which point the vehicle will look for and interrogate a valid key fob.

The biggest question I have so far is how he's managing to intercept the data stream between the RemoteLink app and GM. Presumably it communicates via HTTP (though one would hope HTTPS) I doubt that little box is intercepting 3G/4G cellular data, so I suspect that this is only possible via an insecure WiFi connection.

Re:When the Man In the Middle is You

[InvisiBill]

Crazy that the phone is not just some kind of passthrough ,but instead somewhere in he binary contains enough rights to do anything it likes with your car... the device must be just convincing the app that OnStar said it was OK to use it's unlimited powers to unlock the car and start the engine or whatever.

On the other hand, perhaps that ALSO means the attack cannot work with any arbitrary car, but only with an instance of an app you have already paired to your car so it was given the right credentials? If so it's a much less serious attack than it would seem at first.

The real issue would be, if a rooted Android or iPhone device could have the car-specific credentials scraped, to use at a later time with thier own OnStar app.

The app/phone doesn't communicate directly with the car. The app communicates with the OnStar service via the Internet (you have the same functionality from their website), which then sends commands to the car via cellular data (previously VZW, switched to ATT for '15 with all the new LTE Wi-Fi hotspot stuff).

Re:When the Man In the Middle is You

[InvisiBill]

Yeah I'm not convinced... I don't see anything in the video that appears to be anything other than the normal functionality of the RemoteLink app by an authorized user. All of the functions listed (remote start, vehicle location, etc) are all normal functions of the app. Under normal use, the app will ask for a PIN for any command with security repercussions, and further commands in the same session will not require a PIN. I'd be very interested to know whether this "hack" is somehow capturing that PIN, or whether this is nothing more than a replay attack. Could be nothing more than copying the current login session from one phone to another...

Also, the remote-start thing is way overhyped. Remote starting a Chevy Volt does nothing more than turn on the A/C. You can't actually start the car and drive away without pressing the Power button, at which point the vehicle will look for and interrogate a valid key fob.

The biggest question I have so far is how he's managing to intercept the data stream between the RemoteLink app and GM. Presumably it communicates via HTTP (though one would hope HTTPS) I doubt that little box is intercepting 3G/4G cellular data, so I suspect that this is only possible via an insecure WiFi connection.

I agree, the video doesn't really prove anything. It simply looks like he's using the app normally. I could make an identical video with my own Volt. I assume he's actually doing what he claims, but the lack of detail in the video means it isn't actually proof of anything.

The SIM800L seen in his device is a quad-band GSM module. He also has a Raspberry Pi and a RTL8187L wireless NIC in there. It seems like it's a MITM attack between the app and OnStar's servers, but the GSM module makes me think he might be generating cellular packets to send directly to the target vehicle. The app doesn't even automatically refresh the displayed vehicle status info just by opening the app, so it doesn't seem like simply opening the app would trigger an OnStar-to-vehicle cellular connection that he could take advantage of.

I suppose it could be for intercepting the app's traffic over a cellular connection, but it seems like breaking into that data stream would be more complex than hijacking a Wi-Fi connection (though I admittedly don't know too much about data over cellular connections). It looks like all of the iPhones that are in use are on VZW cellular connections (the screenshot of the map is on Wi-Fi).

Maybe it's just to give the OwnStar cellular connection ability to report the target vehicle info to him from anywhere? That seems a bit excessive for a PoC for local testing, but I guess if he's taking it to DefCon, he would want it to work there.

If he is doing something with a direct cellular connection, it's somewhat mitigated by the fact that '14 and older models use VZW CDMA for OnStar service, while '15 and newer models have switched to AT&T. I'm sure it wouldn't be too hard to use a different cellular radio in the OwnStar, but it does make the target vehicles somewhat heterogeneous.

Re:When the Man In the Middle is You

The Wired article has a few more details. http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/

It appears that the device acts as a rogue AP with a generic SSID like "attwifi" in the hopes of users' phones connecting automatically. The GSM module provides the internet backhaul as well as allow the intercepted data to be sent to the "hacker"

Evidently the Raspberry Pi is performing a MITM attack by stripping the SSL and re-signing with it's own certificate. The crux of the issue is the fact that the RemoteLink app doesn't verify that the SSL cert is only the correct one issued to OnStar.

Simple fix... Change the code so that it checks the validity of the SSL certificate. Bet the code monkeys will be working all weekend on this one.

Re:When the Man In the Middle is You

[InvisiBill]

Thanks, that's a much better article. Knowing that this is a Wi-Fi MITM attack greatly reduces the impact, at least for people like me. I'm sure it's very easy for less knowledgeable folks to stumble onto a rogue AP, but I'm not too worried about that with my own personal setup.

I'm still a bit surprised that just opening the app triggers a login (where OwnStar can steal the credentials). As I said, none of the displayed status information updates automatically; if you're going to log me in, why not at least show me current details in the app?

Kamkar’s shown that if a hacker can plant a cheap, homemade Wi-Fi hotspot device somewhere on the car’s body—such as under a bumper or its chassis—to capture commands sent from the user’s smartphone, the results for vulnerable vehicle owners could range from nasty pranks to privacy breaches to actual theft.

That seems like one of the worst places to do this. Due to the phone-internet link, server processing time, and VZW CDMA OnStar connection, the app is rather pokey. Other than possibly showing a curious person how it works or after locking my keys in the car, I would never bother to use RemoteLink if I was already at the car. You need to be where the phone/app is, which is probably not where the car is - that's the whole point of remote access features.

Here we go

Half baked hackers are running to take advantage of half baked products. Congratulations for discovering the easy things to take advantage of

Re:Here we go

Uhm... if half baked hackers are all it takes to find the flaws, isn't that optimization of effort? Save the best hackers for the most secure systems and all that?

Not to mention that a high impact low effort vulnerability is the worst kind.

I know slashdot has gone downhill, but please, even AC comments should be better than that.

Re:Here we go

OK. If it's half baked hackers and half baked products, isn't something or someone totally baked?

Re:Here we go

[OhSoLaMeow]

Ob quote from The Graduate:

Mr. Braddock: Ben, this whole idea sounds pretty half-baked.
Benjamin: Oh, it's not. It's completely baked.

This Screams, get real computers in cars.

I'm really waiting for some actual off the shelf PC components for the car. Build a networkin your car, protect it yourself and stay the hell out of my vehicle and info "Car Manufactures", your job is to make cars! A great system in your car is not a perk, it's as important as the windows on your house.

Re:This Screams, get real computers in cars.

[sinij]

Seeing all these vulnerabiltieis pop up in all these cars, knowing how malware-ridden is typical user's GPC, you are asking for more GPC in cars?!?! What is wrong with you?!

If your grandma's AOL-connected computer gets infected, it will at most become a nameless bot zombie and a minor nuisance. On other hand, under similar scenario your grandma's networked car, probably with her screaming in terror until the bitter end, could realistically become a remotely controlled weapon and seriously ruin everybody's day. Just consider than only a couple of big accidents can pretty much shut down an entire urban highway system, the bar for extreme mayhem in this case is much, much lower.

Re:This Screams, get real computers in cars.

[KGIII]

I imagine that they are thinking that this would be an option and "secure" by default. Keep in mind that no connected device is ever truly secure - ever. So, basically, you would have some sort of standardized information coming off the CANN-BUS and would read or manipulate it on your own. You would be able to configure a firewall and select access points and data restrictions based on policies. That sort of thing. It makes sense actually. I would actually love such a thing. I have an application that lets me play with stuff like timing and whatnot via a laptop connected to the OBD-II.

Having something formal and a full blown OS for it would be absolutely grand and, frankly, I can probably secure such better than they can. It would be neat being able to get specialist applications for your car as well. Those folks who are into hypermiling may even be able to benefit from such but, all-in-all it seems like a great idea and I would be happy to secure my own automobile. I would take responsibility for that.

What would be even more impressive is if the car manufacturers got together and decided on a standard. We could roll our own AutOS (see what I did there?) based on FOSS and have at it. Provided it had a big red "reset to factory" button I think it would be great and would encourage people to hack at their own cars. Patches, applications, tweaks, and hacks (not the pejorative) could be passed upstream for consideration for inclusion in future releases. I am all for it and would likely donate a bunch of my time and effort at improving such to the best of my ability.

I had not really considered the idea until they mentioned it even though I have spent a number of hours in my cars with laptop connected to the OBD-II port. It just never crossed my mind that embedding it would be a great idea - and it would be. A touch screen, a USB port for a keyboard and mouse (or just bluetooth) would make it awesome. Hell, with a contract and 4G you could even turn yourself into a rolling hot spot and do crazy stuff like that. It would bring a whole new meaning to war driving. It would be awesome pretty much all around. Those folks who are not inclined can either get it optionally and let the system take care of itself with "secure" defaults. They could also get a vehicle which did not have the options. It would be a great choice and a wonderful added value to some of us.

It would be great to be able to push a song to the car next to you as you tool down the highway. It would be even more fun to send them a message saying that they need to turn left at the next intersection because someone in your convoy has to stop for a piss. Even better would be the ability to tell the guy in the BMW (that would be me though I am not stereotypical) that they are driving like an idiot and that they need to stop before you just say to hell with it and ram them off the road in a PIT maneuver. You could have a wireless mesh network connected to the cell network. There are lots of great potentials (all of which are ripe for abuse) and security would be something you could/should do on your own if you are inclined to do so. It would be great...

You could pull up into your garage and sync your backups to a RAID10 cluster in your trunk and always have a remote backup for your files. Think of the potential goods (and the risks) and let your imagination run free. I, for one, welcome our new full blown operating system equipped automobiles. If you can not think of such or do not envision such and get your nickers into a knot over such an idea then I have absolutely no idea why you would be on Slashdot. Maybe Reddit is more your style?

Re:This Screams, get real computers in cars.

[sinij]

Average car on the road is 11 years old right now. Assuming it is possible to design secure OS (see Programming Satan's Computer for many reason why not), crypto of that vintage is susceptible to bruteforce. This is assuming over that period of time nobody dropped the ball and lost signing keys and such.

Thing is, what you proposing is fundamentally is a feature bloat. It doesn't help you drive.

Re:This Screams, get real computers in cars.

[KGIII]

Not at all but it would be fun to play with.

Re:This Screams, get real computers in cars.

[sinij]

Yes, and this is exactly how you end up with a homer car.

Re:This Screams, get real computers in cars.

[KGIII]

I would have bought one of those.

The car thief version will be called GoneStar

[almondo]

Trust me grasshopper as I have foreseen it.

Onstar

[JustNiz]

Onstar is basically GM having the balls to charge the customer for the equipment that GM uses to gather personal data and to sell navigation and other services that mostly your phone already does for free.

It boggles my mind how gullible people are. I'm amazed that people don't all just refuse to buy any car with Onstar in.

Re: Onstar

You get the same function in your $14k car that your neighbors $40k has. Keep up.

Re:Onstar

[dpidcoe]

The target market is people who don't know how to use smartphones and such. My grandpa actually was annoyed that he couldn't get a car with onstar in it.

Re:Onstar

[jittles]

Onstar is basically GM having the balls to charge the customer for the equipment that GM uses to gather personal data and to sell navigation and other services that mostly your phone already does for free.

It boggles my mind how gullible people are. I'm amazed that people don't all just refuse to buy any car with Onstar in.

While I agree with you, the point of OnStar IS to collect personal data about GM drivers, you must concede that OnStar came about long before smart phones and Google Maps on a mobile device. In fact, the service was launched in 1996 for model year 1997 cars. The security holes and issues in OnStar have likely existed from the very beginning. Who knows how long they've been exploited for, but we can assume that the people who designed the hardware and software for OnStar had not yet learned the lessons about security that would be so crucial towards the end of the DotCom bubble.

Re:Onstar

[JustNiz]

I just checked with GM.
But for one single exception, literally every GM vehicle made including every model GMC, Buick, Cadillac and Chevvy comes with OnStar and you cannot buy the car without it.

The one single exception is the 2015 base model Chevvy Colorado. Good luck finding a base model.

Re:Onstar

[dpidcoe]

But Kia doesn't make cars with OnStar last I checked, which is what he ended up buying because of reasons.

(sorry, my initial comment probably needed more context)

Re: Onstar

[JustNiz]

What if you don't want it?

Re:Onstar

When I bought my Kia I actually asked the dealer if it had OnStar and all the features OnStar provides. He said no. I said sold.

Re: Onstar

[KGIII]

Don't buy it and quite whinging. This is not complicated. You have choices. If you are so weak that you can not resist the shiny then, frankly, you get what you deserve. If there is a market for people who do not want such there will be cars available without such. In this case, avoid cars with OnStar. Other than that, try to keep up.

Re: Onstar

[JustNiz]

>> If there is a market for people who do not want such there will be cars available without such.

Not at all. In the US at least, government legislation, special interest groups like MADD and billions spent in advertising/brainwashing easily trump anything that goes against any mass-market convention, whatever it is.

>> Other than that, try to keep up.
Maybe its actually you that needs to try to not be a dick.

Re: Onstar

[KGIII]

Nah, you will find a market. There will be people who spend more and more time taking old cars and restoring them to factory condition (or better). You won't get your new cars but you will get used ones that have lots of life and the added bonus that you can fix them. You can already do this. This will just be more common if there is a market.

de haxx0rz

r in ur carz nao

GM aware of security hole and working on fix ..

[nickweller]

Time and again we keep hearing about such defects. Did no one at GM even test the product against such security defects?

Good! GM Cars Should Be Banned

I stick with organic cars only, not genetically modified cars.

So Glad My Cars are from the 60's

I've got a 68 VW Bug and a 65 Ford Econoline that I'm not replacing anytime soon. Both get great fuel mileage - The bug gets 35 to 50 while the van gets 20 to 24 depending on load and neither of them have any electronics at all.

Even mum's vehicle - 2003 Chevy Tracker - is fairly safe since it doesn't have the OnStar crap or anything more sophisticated then a CD/Stereo player. I suspect it may be vulnerable to the direct hack of the CD player to take control of some of the ECM functions but the AC and other features are still using switches, levers and knobs so I'm not sure.

Today's Captcha = Sanity (pretty appropriate I'd say).

iOS app update

[jbaustert]

OnStar RemoteLink v2.1 for iOS was released today. I can't verify this is the fix for this issue, only inferring it.

GM forces onstar on you

[JustNiz]

I just checked with GM customer service,
But for one single exception, every GM vehicle made including every model GMC, Buick, Cadillac and Chevvy comes with OnStar and you literally cannot buy the car without it.

The one single exception is the 2015 base model Chevvy Colorado. Good luck finding a base model.