Your BMW or Merc may also be at risk of being hacked, because of your iOS app

Mercedes Benz BMWAt the end of last month, I described how security researcher Samy Kamkar had managed to launch a man-in-the-middle attack against the RemoteLink smartphone app used by owners of GM cars equipped with a system called OnStar.

In this way, Kamkar had found out he could locate, unlock and even remotely start vehicles.

Now, according to a report in Wired, that a host of similar systems used by other car manufacturers are vulnerable to similar attacks:

Over the last week, Kamkar has analyzed the iOS apps of BMW’s Remote, Mercedes-Benz mbrace, Chrysler Uconnect, and the alarm system Viper’s Smartstart, and found that all of those internet-connected vehicle services are vulnerable to the attack he used to hack GM’s OnStar RemoteLink app.

"If you’re using any of these four apps, I can automatically get all of your log-in information and then indefinitely authenticate as you," says Kamkar. "These apps give me different levels of control of your car. But they all give me some amount of control."

I have got used to constantly reporting on companies suffering damaging data breaches which expose the private information of their customers. It seems that I'm more and more hearing about car manufacturers suffering from serious security vulnerabilities too.

Heaven help us as the internet of things continues its steady expansion, with so little thought as to privacy and security.

At least in this case one hopes that any vulnerabilities can be fixed by issuing a patched version of the affected iOS apps to at-risk car owners.

You can read the full story at Wired, and about Samy Kamkar's successful hack of GM cars here.

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

8 Responses

  1. Simon

    August 17, 2015 at 1:59 pm #

    I'm glad I have a car without these smarts…

    Seems a lot more emphasis needs be done towards securing these mechanisms. I wouldn’t be surprised of other cars are vulnerable to the same/similar flaws…

  2. Jon

    August 17, 2015 at 2:10 pm #

    And manfacturers are even now ploughing on into the Brave New World of driverless automitive technology. In a few years time, your insurance premiums could very well be based on how easy is your car to hack.

  3. mark jacobs

    August 17, 2015 at 3:58 pm #

    Is it just me, or does it seem reasonable that YOU DO NOT WANT TO PUT YOUR CAR ENGINE'S CONTROL SYSTEMS ON THE INTERNET? It just seems like common sense to me, but we should not be wifi-enabling life-or-death instrumentation. I would hate to see a wifi-enabled pacemaker come out, and then see subsequent headlines appear of wearers dying from being drive-by hacked!

    • Coyote in reply to mark jacobs.

      August 17, 2015 at 5:09 pm #

      It isn't just you. But yet there is a growing fascination for the IoT but it is pure stupidity. That's the nicest I can put it. I've written about this for some years but the masses just don't get why it is such a bad idea to have cars (and other heavy machinery) connected to a network (or otherwise not in the control of the driver – and only their control [or I suppose with planes the pilot and co-pilot]).

    • 4sash in reply to mark jacobs.

      August 20, 2015 at 2:51 am #

      That day is already here. Google "pacemaker hacking" or "pacemaker security flaws" and you will see that ICDs (cardioverter defribillator) can be commanded to give a lethal shock from a distance of 50 feet. The security is very poor in those devices. It was designed to be convenient for health care providers to adjust settings etc. without opening up the patient, but surely they could have added at least 2 layers (to and from) of firewall and/or password protection! Backdoors (needed during emergency) can be hidden and access limited to healthcare providers. With so many routers and public WiFi's around, 50 ft is all a random trigger happy psychotic person needs.
      PS: I have devices inside my body, but fortunately they are mechanical :-)

  4. Pete

    August 17, 2015 at 5:22 pm #

    Lesson: "Smart" car = stupid idea.

    • Simon in reply to Pete.

      August 19, 2015 at 11:10 am #

      Agreed, but the sentiments of a few are no match for the 'scary' evolution of what the automotive industry are gravitating towards…

      I envision self-driving vehicles in logistics will slowly replace truck drivers.

      Imagine the impact this'll cause. Not just for those that do this for a living, but those who depend on their employment.
      The domino affect will likely stem to those servicing these truckies in far/remote locations.
      A good sum of business are from those behind the wheel wanting a meal, refill, etc…
      Compounding the fact that the service industry also have dependencies/mouths to feed…

      Once regulations cave in and approve driveless vehicles, it'll be interesting times thereafter…

  5. Mike Sangha

    August 17, 2015 at 7:00 pm #

    Most cars on the road today – and not carrying "antique" license plates in the USA – are computers. The average car has 100 million lines of code!! You cannot have that amount of code and not have bugs. This blogger is right (http://bit.ly/1fuwGNV) we don't drive cars, we drive computers! The horses are out of the barn. If you think this is bad, wait till IoT is a full blown phenomenon.

Leave a Reply