Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/31/2015
10:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

GM Vehicles Can Be Located, Unlocked, Started Remotely Via OnStar App

White Hat hacker Samy Kamkar's OwnStart device latest to show up vulnerabilities in modern vehicles

[UPDATED with GM comments]

In another demonstration of how vulnerable modern vehicles are to external tampering, a hacker has shown how to locate, unlock, and remotely start any GM vehicle equipped with an OnStar RemoteLink app.

In a YouTube video posted Thursday, white hat hacker Sanjay Kamkar used a device he calls "OwnStar" to intercept communications between a user’s OnStar mobile app and the OnStar cloud service. He then showed how an attacker could send specially crafted packets to the user’s mobile device to gain access to additional credentials describing the connected vehicle’s location, make, and model.

With that information on hand, an attacker can use the intercepted OnStar app’s remote unlock and remote start functions to take over the vehicle, he said. Any GM vehicle owner who fires up the OnStar mobile app in the proximity of OwnStar device is vulnerable to the attack, Kamkar says. He urged GM owners not to use the OnStar Remotelink mobile app until the company has a fix for the problem.

“Fortunately the problem lies with the mobile software and is not a problem with the vehicles themselves,” Kamkar says. “GM and OnStar have so far been receptive to me and are already working quickly on a resolution to protect consumers.”

In an emailed statement to Dark Reading, a GM spokesperson said the company's product cybersecurity representatives had reviewed the vulnerability and secured an unspecified back-office system to reduce risk. That step required no customer action, the spokesman said. But continued testing identified that further action was necessary on the Apple iOS version of RemoteLink app. "That step has now been taken and an update is now available via Apple’s App Store," the spokesperson said.

OnStar will alert affected GM customers about the the previous version of the app being decommissioned. "No additional action is required for Android, Windows Phone and Blackberry users," the GM spokesperson said.

Kamkar described his YouTube demonstration as a sneak peek and promised more details on the exploit and other car-related attacks and tools over the coming weeks at the DEF CON security conference and other venues.

Kamkar’s exploit is the second one targeted at smart cars in recent days. Earlier this month, noted car hackers Charlie Miller and Chris Valasek demonstrated how attackers could take complete remote control of a Jeep Cherokee’s braking, steering, and other critical systems through the vehicle’s entertainment system.

As part of the demonstration, the two hackers showed how they could kill the Jeep’s transmission remotely from 10 miles away while the vehicle was traveling at 70 miles per hour, causing the accelerator to stop working. The two hackers also disabled the vehicle’s brakes and toyed with the vehicle’s air conditioning, entertainment, and wiper systems to show how an attacker could take complete control of many critical functions of the vehicle by gaining access to its entertainment system.

The unnerving demonstration quickly prompted Fiat Chrysler Automobiles to issue a recall of some 1.4 million vehicles—covering seven vehicle models--equipped with certain radios. The company also implemented fresh network-level security measures to prevent the sort of remote manipulation that was demonstrated by the two hackers.

Chrysler described the attack as one requiring very sophisticated hacking skills and a highly detailed technical knowledge. But it was enough to stir major concerns among lawmakers and other car manufactures as well.

Kamkar’s demonstration is almost certain to fuel those concerns ever further and prompt closer scrutiny of the measures that major automakers are taking to protect modern, highly connected vehicle against remote attacks.

Concerns over car hacking are not new. Dramatic as the latest demonstrations by Kamkar, Miller, and Valasek have been, there were several others in recent years that have highlighted similar weaknesses.

In 2013, for instance, Miller and Valasek themselves demonstrated how attackers could remotely send malicious commands to a vehicle’s electronic control unit and cause problems with its braking, acceleration, steering, and tire pressure systems.

Concerns spawned by that demonstration prompted Sen. Edward Markey (D-MA) to send a letter to the CEOs of 20 major automakers asking for information on potential vulnerabilities in their vehicles to hacker attacks.

The responses from the automakers showed that 100 percent of modern vehicles are equipped with wireless technologies that are vulnerable to security and privacy intrusions, Markey’s office said in a report released earlier this year. The responses also showed that most automakers are unaware or unable to report on past hacking incidents and had inconsistent or haphazard measures for preventing remote access to vehicle electronics.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StaceyE
50%
50%
StaceyE,
User Rank: Apprentice
7/31/2015 | 3:54:26 PM
Kind of scary!
In my opinion, saying how sophisticated a hackers skills would have to be to hack my car would not make me feel secure. If it can be done, it must be prevented.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35419
PUBLISHED: 2021-04-14
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
CVE-2021-28060
PUBLISHED: 2021-04-14
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
CVE-2021-28825
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
CVE-2021-28826
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
CVE-2021-28855
PUBLISHED: 2021-04-14
In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).