Pierluigi Paganini July 31, 2015

The popular hacker Samy Kamkar has presented a new gadget that could be exploited to hacks GM Cars. The tool allows to locate, Unlock, and Start Them.

Do you have a General Motors car? Do you have $100 to spare? Do you want to hack your car?

If the reply to my questions is yes, this is definitely the news for you.

Samy Kamkar, one of our favorite researchers has presented his newest creation, the Ownstar.

Ownstar will be fully presented at the DEF CON hacking conference next week in Las Vegas, but we know already a some things about it.

Before starting to explain about Ownstar itself, we need to review what is OnStar (don’t mix the names), using the words of used by The Registrer website:

“OnStar is a cellular service that piggybacks AT&T’s cellphone network to connect vehicles to the internet: equipment in the car connects to the ‘net via the OnStar service, and sets up a Wi-Fi network inside the vehicle so people can browse Facebook on the move, or whatever. OnStar’s RemoteLink mobile app is used to connect to the car remotely from a smartphone, and control the vehicle’s systems.” states The Register. 

Ownstar is a hacking kit, similar to a computer board, with some antennas, and some controller circuit boards, and the wannabe thief needs to carry it and be in range of someone using the OnStar app (like a Man-in-the-middle attack scenario).

This sort of Man-in-the-middle has the goal of intercepting communication and discover the location of the car and the model.

“If I can intercept that communication, I can take full control and behave as the user indefinitely,” says Kamkar. “From then on I can geolocate your car, go up to it and unlock it, and use all the functionalities that the RemoteLink software offers.” “I suggest not opening the RemoteLink app up until an update has been provided from OnStar,” he added.

When the car’s owner leaves the perimeter, the attacker can use the intercepted info to disguise as the Onstar app, and unlock the car, start the engine like he was the legitimate owner.

The catch is, even if you are inside the car, and with the engine on, you can’t drive the car because it requires the key.

“GM takes matters that affect our customers’ safety and security very seriously. GM product cybersecurity representatives have reviewed the potential vulnerability recently identified,” General Motors stated.

“In working with the researcher, we moved quickly to secure our back-office system and reduce risk. However, further action is necessary on the RemoteLink app itself. We take all cyber matters seriously, and an enhanced RemoteLink app will also be made available in app stores soon to fully mitigate the risk.”

If you still feel curious, please check the presentation video of the Ownstar:

GM told to WIRED that it has now fixed the vulnerability that Kamkar’s device exploited, with no action necessary for OnStar users. Unfortunately, Kamkar explained that the problem is not yet resolved, however he has been told by GM that the company is still working on it.

No doubts, manufacturers need to improve the security of their connected cars in order to avoid major incidents.

Edited by Pierluigi Paganini

(Security Affairs – Ownstar,  hacking)