Hackers can open doors, start engine via GM OnStar app [w/video] [UPDATE]

UPDATE: General Motors has informed Autoblog that a security fix for the OnStar RemoteLink app is now available. iOS users should head to the Apple App Store, while users on other operating systems won't need to do anything, as the vulnerability was eliminated "on the back-end," GM spokesman Stuart Fowle told Autoblog . We've also updated the story with an official statement from GM, available below.

Fiat Chrysler isn't the only automaker facing a hacking problem. A new report from Reuters indicates a research has found a way into products from General Motors by way of the company's OnStar RemoteLink mobile app.

Samy Kamkar, a so-called "white hat" hacker (i.e. the good kind of hacker), demonstrated the exploit using something called OwnStar. In a video released on YouTube, Kamkar uses OwnStar to intercept the communication from a nearby phone running RemoteLink to a Chevrolet Volt, sending specialized data packets to the phone and gaining vehicle access "indefinitely." In the real world, that could allow some potentially nefarious individual access to a vehicle's locks, GPS data, and the ability to start and stop the engine. The good news, as Kamkar says, is that the issue lies with the app, and not the actual vehicle.

General Motors is moving swiftly to counter the exploit, telling Reuters that a RemoteLink update is just "days away." And while that probably won't do much to ease the mind of consumers that routinely use the app, GM thinks the odds of a problem are on the low side.

"We believe the chances of replicating this demonstration in the real world are unlikely. In addition, the action involves one user at a time, and would impact only that specific user's account," spokesman Terrence Rhadigan told Reuters.

You can see Kamkar take advantage of the exploit using OwnStar in the video below.
Show full PR text
GM takes matters that affect our customers' safety and security very seriously. GM product cybersecurity representatives reviewed a vulnerability identified by an independent researcher this week and moved quickly to secure our back-office system and reduce risk. That step required no customer action.

Continued testing identified further action necessary on the Apple iOS version of RemoteLink app itself. That step has now been taken and an update is now available via Apple's App Store. Impacted customers will receive a communication from OnStar today and the previous version of the app will be decommissioned following that communication to ensure customer security. No additional action is required for Android, Windows Phone and Blackberry users.

Share This Photo X