Hacker shows he can locate, unlock and remote start GM vehicles

A security researcher has posted a video on YouTube demonstrating how a device he made can intercept wireless communications to locate, unlock and remotely start GM vehicles that use the OnStar RemoteLink mobile app.
Samy Kamkar, who refers to himself as a hacker and whistleblower, posted the video today showing him using a device he calls OwnStar. The device, he said, intercepts communications between GM's OnStar RemoteLink mobile app and the OnStar cloud service.

Samy Kamkar

Hacker Samy Kamkar shows how after hacking the OnStar mobile app, he's able to use it to control a Chevy Volt.

The hack comes on the heels of another vehicle-related security breach that proved Fiats and Chryslers with early model versions of the UConnect Infotainment system could be broken into electronically, and the UConnect system used to control vital vehicle functions. Those hackers were able to control vehicle acceleration, braking and ignition systems, among others.
After the hack was made public, Fiat Chrysler Automobiles (FCA) issued a recall notice for 1.4 million vehicles in order fix a software hole that allowed hackers to wirelessly break into some vehicles and electronically control vital functions.

The National Highway Safety Administration also plans to look into the matter and two U.S. senators also called for an investigation into Chrysler's handling of the recall, which they said came nine months after the company knew about the security flaw.
OnStar is GM's subscription-based, in-vehicle service that provides vehicle security, hands free calling, turn-by-turn navigation and remote diagnostics.
RemoteLink, for its part, is GM's OnStar mobile app that allows users to unlock and remote-start their vehicles from almost anywhere. The app also can turn on headlights, sound the horn and manage an equipped vehicle's Wi-Fi hotspot.
Kamkar said that after a user opens the OnStar Remote Link app on his or her mobile phone "near the OwnStar device," OwnStar intercepts the communication and sends "specially crafted" data packets to the mobile device to acquire additional credentials. The OwnStar device then notifies the attacker about the new vehicle that the hacker has access to for an indefinite period of time, including its location, make and model. And at that point, the hacker can use the Remote Link app to control the vehicle.

"Fortunately, the issue lies in the mobile software and is not a problem with the vehicles themselves," Kamkar said. "GM and OnStar have so far been receptive to me and are already working quickly on a resolution to protect consumers."

Samy Kamkar

On the left is Kamkar's "OwnStar" device that he used to intercept a "nearby" mobile phone using the OnStar RemoteLink app. On the right, shows his own phone linked to the other user's RemoteLink app.

Until GM provides a software patch, Kamkar suggested that OnStar vehicle owners not open the RemoteLink app.
In a statement to Computerworld, GM said it takes matters that affect its customers’ safety and security "very seriously."
"GM product cybersecurity representatives have reviewed the potential vulnerability recently identified. In working with the researcher, we moved quickly to secure our back-office system and reduce risk," the company stated. "However, further action is necessary on the RemoteLink app itself. We take all cyber matters seriously and an enhanced RemoteLink app will also be made available in app stores soon to fully mitigate the risk."
Kamkar said he'll be providing additional details about the hack at the upcoming Def Con hacking conference as well as on his YouTube channel and website.
The OnStar RemoteLink app works with Apple iOS, Android, BlackBerry and Windows mobile devices and has been downloaded by more than 3 million people, according to OnStar's website.