GM told Tech Insider in a statement that they have fixed the vulnerability that enables the OwnStar device to work, but Kamkar said he is still able to perform the breach. From there, it obtains the digital keys it needs to control the vehicle at any time, passes those on to the attacker and boom, instant indefinite access.
Advertisement
Security researchers have become increasingly vocal in warning of the potential vulnerabilities in modern vehicles.
Hacker Samy Kamkar shows how after hacking the OnStar mobile app, he’s able to use it to control a Chevy Volt.
The GM OnStar security flaw is just the latest example of how connected cars are vulnerable to hackers.
The National Highway Safety Administration also plans to look into the matter and two U.S. senators also called for an investigation into Chrysler’s handling of the recall, which they said came nine months after the company knew about the security flaw.
OnStar offers various services including crash reports, remote unlocking, ignition blocks in the case of theft and navigation services.
Hackers can then unlock the vehicle and use the remote start functionality on any compatible GM models-and GM now has OnStar technology in more than 30 of its vehicles.
“The hacker said he discussed the fix with representatives from GM, but their efforts failed to thwart the attack method he uncovered, which uses a device he built and dubbed ‘OwnStar”. And at that point, the hacker can use the Remote Link app to control the vehicle. The researcher will give a presentation on the exploit and his device, as well as other vulnerabilities he found, at the DEF CON 2015 conference in Las Vegas in August.
“After a user opens the RemoteLink mobile app on their phone near my OwnStar device, OwnStar intercepts the communications and sends specially crafted packets to the mobile device to acquire additional credentials then notifies me, the attacker, about the vehicle that I indefinitely have access to, including its location, make, and model”, Kamkar said in a video demonstrating the device.
Kamkar says that the vulnerability lies not in the cars but instead in the smartphone app, which is failing to take adequate security measures when communicating with the OnStar servers.
Advertisement
More than 3 million people have downloaded the OnStar RemoteLink mobile app for Apple iOS and Google Inc devices, according to OnStar’s website.
