At the end of last month, I described how security researcher Samy Kamkar had managed to launch a man-in-the-middle attack against the RemoteLink smartphone app used by owners of GM cars equipped with a system called OnStar.
In this way, Kamkar had found out he could locate, unlock and even remotely start vehicles.
Now, according to a report in Wired, that a host of similar systems used by other car manufacturers are vulnerable to similar attacks:
Over the last week, Kamkar has analyzed the iOS apps of BMW’s Remote, Mercedes-Benz mbrace, Chrysler Uconnect, and the alarm system Viper’s Smartstart, and found that all of those internet-connected vehicle services are vulnerable to the attack he used to hack GM’s OnStar RemoteLink app.
“If you’re using any of these four apps, I can automatically get all of your log-in information and then indefinitely authenticate as you,” says Kamkar. “These apps give me different levels of control of your car. But they all give me some amount of control.”
I have got used to constantly reporting on companies suffering damaging data breaches which expose the private information of their customers. It seems that I’m more and more hearing about car manufacturers suffering from serious security vulnerabilities too.
Heaven help us as the internet of things continues its steady expansion, with so little thought as to privacy and security.
At least in this case one hopes that any vulnerabilities can be fixed by issuing a patched version of the affected iOS apps to at-risk car owners.