Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker's Device Can Intercept OnStar's Mobile App and Unlock, Start GM Cars

Posted by timothy on from the internet-of-cars dept.

Lucas123 writes: Security researcher Samy Kamkar posted a video today demonstrating a device he created that he calls OwnStar that can intercept communications between GM's RemoteLink mobile app and the OnStar cloud service in order to unlock and start an OnStar equipped car. Kamkar said that after a user opens the OnStar Remote Link app on his or her mobile phone "near the OwnStar device," OwnStar intercepts the communication and sends "data packets to the mobile device to acquire additional credentials. The OwnStar device then notifies the attacker about the new vehicle that the hacker has access to for an indefinite period of time, including its location, make and model. And at that point, the hacker can use the Remote Link app to control the vehicle. Kamkar said GM is aware of the security hole and is working on a fix.

6 of 54 comments (clear)

  1. No! by IMightB · · Score: 4, Funny

    I for one, in Soviet Russia, didn't see this one coming

  2. When the Man In the Middle is You by SuperKendall · · Score: 2

    Crazy that the phone is not just some kind of passthrough ,but instead somewhere in he binary contains enough rights to do anything it likes with your car... the device must be just convincing the app that OnStar said it was OK to use it's unlimited powers to unlock the car and start the engine or whatever.

    On the other hand, perhaps that ALSO means the attack cannot work with any arbitrary car, but only with an instance of an app you have already paired to your car so it was given the right credentials? If so it's a much less serious attack than it would seem at first.

    The real issue would be, if a rooted Android or iPhone device could have the car-specific credentials scraped, to use at a later time with thier own OnStar app.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  3. Re:This Screams, get real computers in cars. by sinij · · Score: 3, Interesting

    Seeing all these vulnerabiltieis pop up in all these cars, knowing how malware-ridden is typical user's GPC, you are asking for more GPC in cars?!?! What is wrong with you?!

    If your grandma's AOL-connected computer gets infected, it will at most become a nameless bot zombie and a minor nuisance. On other hand, under similar scenario your grandma's networked car, probably with her screaming in terror until the bitter end, could realistically become a remotely controlled weapon and seriously ruin everybody's day. Just consider than only a couple of big accidents can pretty much shut down an entire urban highway system, the bar for extreme mayhem in this case is much, much lower.

  4. Onstar by JustNiz · · Score: 3, Insightful

    Onstar is basically GM having the balls to charge the customer for the equipment that GM uses to gather personal data and to sell navigation and other services that mostly your phone already does for free.

    It boggles my mind how gullible people are. I'm amazed that people don't all just refuse to buy any car with Onstar in.

    1. Re:Onstar by dpidcoe · · Score: 2

      The target market is people who don't know how to use smartphones and such. My grandpa actually was annoyed that he couldn't get a car with onstar in it.

  5. GM forces onstar on you by JustNiz · · Score: 2

    I just checked with GM customer service,
    But for one single exception, every GM vehicle made including every model GMC, Buick, Cadillac and Chevvy comes with OnStar and you literally cannot buy the car without it.

    The one single exception is the 2015 base model Chevvy Colorado. Good luck finding a base model.