GM Says It Fixed OnStar App After Hack, But Vehicles Are Still Left Vulnerable To More Attacks

Lauren Keating, Tech Times 30 July 2015, 05:07 pm

As many people worry about the safety of self-driving cars after the recent monthly accident reports provided by Google, it may be time to focus on the safety of the vehicles that currently get us around.

Last week Fiat Chrysler Automobiles recalled 1.4 million vehicles after hackers revealed they could control a Jeep Cherokee SUV wirelessly because of an opening in the radio. They were able to stop the transmission from working, take over the steering wheel, change music and turn on the air conditioning.

And now the latest target is General Motors.

On Thursday morning, security researcher Samy Kamkar uploaded a YouTube video that revealed that he had found a way to "locate, unlock and remote-start" vehicles.

By using a device he created called OwnStar, Kamkar was able to successfully intercept commands sent from the OnStar RemoteLink app to the OnStar servers.

Once the OnStar app is open, the OwnStar device intercepts communications, and sends packets to the device to acquire addition credentials such as the car owner's email, home address, some credit card information and, of course, the ability to remotely control the car. By using the OwnStar, a device that includes a computer called Raspberry Pi and wireless adapters, the hacker is then notified via the app about the vehicle they now have indefinite access to, giving up the car's location, make and model.

Hackers can then unlock the vehicle and use the remote start functionality on any compatible GM models—and GM currently has OnStar technology in more than 30 of its vehicles. Hackers would be able to track your car and unlock its doors, although Kamkar wasn't able to drive off since he didn't have the key.

While this is seriously scary stuff, Kamkar revealed that the issue lies within the mobile software app and is not a problem with the car itself. His goal was not to control GM vehicles, but rather to raise awareness surrounding the vulnerabilities of the technology.

Since the video was released, GM reportedly has worked to fix the issue, but Kamkar confirmed that its efforts remained unsuccessful, leaving the software vulnerable for future attacks.

OwnStar update: GM told WIRED that OnStar bug was fixed, however it's not actually resolved yet. I spoke with GM & they're working on it now

— Samy Kamkar (@samykamkar) July 30, 2015

GM worked on fixing the vulnerabilities overnight, but did not roll out an update to its RemoteLink app. Kamkar suggested not using the app until an update is launched.

Kamkar will reveal more details about his device and the hacking attack on GM's OnStar RemoteLink system at the Def Con hacker conference in Las Vegas next week.