How to hack, track and unlock a GM car via OnStar

Graham Cluley

OnStarIf you’re the owner of a GM vehicle equipped with the OnStar system that is supposed to “keep you safe, connected and ready for the road ahead”, then there is a new security concern which you need to know about.

Security researcher Samy Kamkar has found a way of launching a man-in-the-middle attack that can steal OnStar account information. After intercepting communications between a smartphone running the OnStar RemoteLink app and the OnStar servers, Kamkar is able to locate, unlock and remote start vehicles.

Kamkar’s homemade video shows you the hack in action, using a small $100 box of electronics that incorporates a Raspberry Pi microcomputer creating a small WiFi network. Kamkar has wryly dubbed the gadget, “OwnStar”.

Kamkar says that the vulnerability lies not in the cars but instead in the smartphone app, which is failing to take adequate security measures when communicating with the OnStar servers.

As a consequence, as Wired reports, once Kamkar’s box of tricks has stolen credentials from the car owner’s app they can be attacked in a number of ways:

With the user’s RemoteLink login credentials, Kamkar says a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. From across the Internet, they can start the vehicle’s ignition to drain its gas or fill a garage with carbon monoxide, or use its horn and alarm to create mayhem. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.

OwnStar. Image source: Wired
OwnStar. Image source: Wired

Kamkar will be demonstrating the attack, and discussing other aspects of car hacking, at next week’s DEF CON hacker conference.

News of Kamkar’s research comes soon after the (somewhat more sinister) demo which saw a Jeep’s entertainment system, engine and brakes interfered with by security researchers sat 10 miles away, while it was being driven down a busy highway at 70mph.

That vulnerability requires car owners to either take their vehicle back to the dealer, or to apply a patch via a USB stick. In the case on OnStar it sounds as if a security update to the OnStar RemoteLink app for Android and iOS will be enough.

Nonetheless, you really have to wonder whether manufacturers are racing to connect their vehicles to the internet at a hazardous speed – when they should really be applying the brakes until they have a proper handle on security.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “How to hack, track and unlock a GM car via OnStar”

  1. "From across the Internet, they can start the vehicle’s ignition to drain its gas or fill a garage with carbon monoxide" is factually inaccurate. You can't run the car indefinitely this way.

  2. I'm CURRENTLY LiviNG A NIGHTMARE DUE TO SOME HACKERS THAT HAVE MADE MY LIFE MISERABLE FOR THE LAST MONTH. I HAVE AN ONSTAr SYSTEM ON MY 2007 BUICK LUCERNE AND EVER SINCE THEY STARTED MESSING WITH MY CAR iTS BEEN FRUSTRATING. SENDING FALSE REPORTS OF TIRE PRESSURE low, MY GAS, they GOTTEN INSIDE THE VEHICLE AND DIRTY IT. ITS TOO MUCH. I ant to know what I can do stop this. This is a preowned vehicle. I'm subscribed to OnStar. Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES