How to hack, track and unlock a GM car via OnStar

OnStarIf you're the owner of a GM vehicle equipped with the OnStar system that is supposed to "keep you safe, connected and ready for the road ahead", then there is a new security concern which you need to know about.

Security researcher Samy Kamkar has found a way of launching a man-in-the-middle attack that can steal OnStar account information. After intercepting communications between a smartphone running the OnStar RemoteLink app and the OnStar servers, Kamkar is able to locate, unlock and remote start vehicles.

Kamkar's homemade video shows you the hack in action, using a small $100 box of electronics that incorporates a Raspberry Pi microcomputer creating a small WiFi network. Kamkar has wryly dubbed the gadget, "OwnStar".

Kamkar says that the vulnerability lies not in the cars but instead in the smartphone app, which is failing to take adequate security measures when communicating with the OnStar servers.

As a consequence, as Wired reports, once Kamkar's box of tricks has stolen credentials from the car owner's app they can be attacked in a number of ways:

With the user's RemoteLink login credentials, Kamkar says a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. From across the Internet, they can start the vehicle’s ignition to drain its gas or fill a garage with carbon monoxide, or use its horn and alarm to create mayhem. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.

OwnStar. Image source: Wired

OwnStar. Image source: Wired

Kamkar will be demonstrating the attack, and discussing other aspects of car hacking, at next week's DEF CON hacker conference.

News of Kamkar's research comes soon after the (somewhat more sinister) demo which saw a Jeep's entertainment system, engine and brakes interfered with by security researchers sat 10 miles away, while it was being driven down a busy highway at 70mph.

That vulnerability requires car owners to either take their vehicle back to the dealer, or to apply a patch via a USB stick. In the case on OnStar it sounds as if a security update to the OnStar RemoteLink app for Android and iOS will be enough.

Nonetheless, you really have to wonder whether manufacturers are racing to connect their vehicles to the internet at a hazardous speed - when they should really be applying the brakes until they have a proper handle on security.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

2 Responses

  1. Jason

    August 3, 2015 at 1:35 pm #

    "From across the Internet, they can start the vehicle’s ignition to drain its gas or fill a garage with carbon monoxide" is factually inaccurate. You can't run the car indefinitely this way.

  2. Otto medrano

    April 29, 2016 at 1:21 pm #

    I'm CURRENTLY LiviNG A NIGHTMARE DUE TO SOME HACKERS THAT HAVE MADE MY LIFE MISERABLE FOR THE LAST MONTH. I HAVE AN ONSTAr SYSTEM ON MY 2007 BUICK LUCERNE AND EVER SINCE THEY STARTED MESSING WITH MY CAR iTS BEEN FRUSTRATING. SENDING FALSE REPORTS OF TIRE PRESSURE low, MY GAS, they GOTTEN INSIDE THE VEHICLE AND DIRTY IT. ITS TOO MUCH. I ant to know what I can do stop this. This is a preowned vehicle. I'm subscribed to OnStar. Thank you.

Leave a Reply