Hacker shows he can locate, unlock and remote start GM vehicles

A hacker has posted a video demonstrating how he can use a mobile device to intercept GM's OnStar telematics mobile app

A security researcher has posted a video on YouTube demonstrating how a device he made can intercept wireless communications to locate, unlock and remotely start GM vehicles that use the OnStar RemoteLink mobile app.

Samy Kamkar, who refers to himself as a hacker and whistleblower, posted the video today showing him using a device he calls OwnStar. The device, he said, intercepts communications between GM's OnStar RemoteLink mobile app and the OnStar cloud service.

The hack comes on the heels of another vehicle-related security breach that proved Fiats and Chryslers with early model versions of the UConnect Infotainment system could be broken into electronically, and the UConnect system used to control vital vehicle functions. Those hackers were able to control vehicle acceleration, braking and ignition systems, among others.

After the hack was made public, Fiat Chrysler Automobiles (FCA) issued a recall notice for 1.4 million vehicles in order fix a software hole that allowed hackers to wirelessly break into some vehicles and electronically control vital functions.

The National Highway Safety Administration also plans to look into the matter and two U.S. senators also called for an investigation into Chrysler's handling of the recall, which they said came nine months after the company knew about the security flaw.

OnStar is GM's subscription-based, in-vehicle service that provides vehicle security, hands free calling, turn-by-turn navigation and remote diagnostics.

RemoteLink, for its part, is GM's OnStar mobile app that allows users to unlock and remote-start their vehicles from almost anywhere. The app also can turn on headlights, sound the horn and manage an equipped vehicle's Wi-Fi hotspot.

Kamkar said that after a user opens the OnStar Remote Link app on his or her mobile phone "near the OwnStar device," OwnStar intercepts the communication and sends "specially crafted" data packets to the mobile device to acquire additional credentials. The OwnStar device then notifies the attacker about the new vehicle that the hacker has access to for an indefinite period of time, including its location, make and model. And at that point, the hacker can use the Remote Link app to control the vehicle.

"Fortunately, the issue lies in the mobile software and is not a problem with the vehicles themselves," Kamkar said. "GM and OnStar have so far been receptive to me and are already working quickly on a resolution to protect consumers."

Until GM provides a software patch, Kamkar suggested that OnStar vehicle owners not open the RemoteLink app.

In a statement to Computerworld, GM said it takes matters that affect its customers' safety and security "very seriously."

"GM product cybersecurity representatives have reviewed the potential vulnerability recently identified. In working with the researcher, we moved quickly to secure our back-office system and reduce risk," the company stated. "However, further action is necessary on the RemoteLink app itself. We take all cyber matters seriously and an enhanced RemoteLink app will also be made available in app stores soon to fully mitigate the risk."

Kamkar said he'll be providing additional details about the hack at the upcoming Def Con hacking conference as well as on his YouTube channel and website.

The OnStar RemoteLink app works with Apple iOS, Android, BlackBerry and Windows mobile devices and has been downloaded by more than 3 million people, according to OnStar's website.

Join the CSO newsletter!

Error: Please check your email address.

Tags Fiat ChryslerOnStarAutomotivesecurity21industry verticalstelematicsyoutube

More about AppleBlackBerryOnStar

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place