Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/31/2015
10:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

GM Vehicles Can Be Located, Unlocked, Started Remotely Via OnStar App

White Hat hacker Samy Kamkar's OwnStart device latest to show up vulnerabilities in modern vehicles

[UPDATED with GM comments]

In another demonstration of how vulnerable modern vehicles are to external tampering, a hacker has shown how to locate, unlock, and remotely start any GM vehicle equipped with an OnStar RemoteLink app.

In a YouTube video posted Thursday, white hat hacker Sanjay Kamkar used a device he calls "OwnStar" to intercept communications between a user’s OnStar mobile app and the OnStar cloud service. He then showed how an attacker could send specially crafted packets to the user’s mobile device to gain access to additional credentials describing the connected vehicle’s location, make, and model.

With that information on hand, an attacker can use the intercepted OnStar app’s remote unlock and remote start functions to take over the vehicle, he said. Any GM vehicle owner who fires up the OnStar mobile app in the proximity of OwnStar device is vulnerable to the attack, Kamkar says. He urged GM owners not to use the OnStar Remotelink mobile app until the company has a fix for the problem.

“Fortunately the problem lies with the mobile software and is not a problem with the vehicles themselves,” Kamkar says. “GM and OnStar have so far been receptive to me and are already working quickly on a resolution to protect consumers.”

In an emailed statement to Dark Reading, a GM spokesperson said the company's product cybersecurity representatives had reviewed the vulnerability and secured an unspecified back-office system to reduce risk. That step required no customer action, the spokesman said. But continued testing identified that further action was necessary on the Apple iOS version of RemoteLink app. "That step has now been taken and an update is now available via Apple’s App Store," the spokesperson said.

OnStar will alert affected GM customers about the the previous version of the app being decommissioned. "No additional action is required for Android, Windows Phone and Blackberry users," the GM spokesperson said.

Kamkar described his YouTube demonstration as a sneak peek and promised more details on the exploit and other car-related attacks and tools over the coming weeks at the DEF CON security conference and other venues.

Kamkar’s exploit is the second one targeted at smart cars in recent days. Earlier this month, noted car hackers Charlie Miller and Chris Valasek demonstrated how attackers could take complete remote control of a Jeep Cherokee’s braking, steering, and other critical systems through the vehicle’s entertainment system.

As part of the demonstration, the two hackers showed how they could kill the Jeep’s transmission remotely from 10 miles away while the vehicle was traveling at 70 miles per hour, causing the accelerator to stop working. The two hackers also disabled the vehicle’s brakes and toyed with the vehicle’s air conditioning, entertainment, and wiper systems to show how an attacker could take complete control of many critical functions of the vehicle by gaining access to its entertainment system.

The unnerving demonstration quickly prompted Fiat Chrysler Automobiles to issue a recall of some 1.4 million vehicles—covering seven vehicle models--equipped with certain radios. The company also implemented fresh network-level security measures to prevent the sort of remote manipulation that was demonstrated by the two hackers.

Chrysler described the attack as one requiring very sophisticated hacking skills and a highly detailed technical knowledge. But it was enough to stir major concerns among lawmakers and other car manufactures as well.

Kamkar’s demonstration is almost certain to fuel those concerns ever further and prompt closer scrutiny of the measures that major automakers are taking to protect modern, highly connected vehicle against remote attacks.

Concerns over car hacking are not new. Dramatic as the latest demonstrations by Kamkar, Miller, and Valasek have been, there were several others in recent years that have highlighted similar weaknesses.

In 2013, for instance, Miller and Valasek themselves demonstrated how attackers could remotely send malicious commands to a vehicle’s electronic control unit and cause problems with its braking, acceleration, steering, and tire pressure systems.

Concerns spawned by that demonstration prompted Sen. Edward Markey (D-MA) to send a letter to the CEOs of 20 major automakers asking for information on potential vulnerabilities in their vehicles to hacker attacks.

The responses from the automakers showed that 100 percent of modern vehicles are equipped with wireless technologies that are vulnerable to security and privacy intrusions, Markey’s office said in a report released earlier this year. The responses also showed that most automakers are unaware or unable to report on past hacking incidents and had inconsistent or haphazard measures for preventing remote access to vehicle electronics.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StaceyE
50%
50%
StaceyE,
User Rank: Apprentice
7/31/2015 | 3:54:26 PM
Kind of scary!
In my opinion, saying how sophisticated a hackers skills would have to be to hack my car would not make me feel secure. If it can be done, it must be prevented.
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7617
PUBLISHED: 2019-08-22
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.
CVE-2019-14751
PUBLISHED: 2019-08-22
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
CVE-2019-9153
PUBLISHED: 2019-08-22
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature.
CVE-2019-9154
PUBLISHED: 2019-08-22
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed.
CVE-2019-9155
PUBLISHED: 2019-08-22
A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve attack in order to gain the victim's ECDH private key.