Your BMW or Merc may also be at risk of being hacked, because of your iOS app

Graham Cluley
Graham Cluley
@[email protected]

Mercedes Benz BMWAt the end of last month, I described how security researcher Samy Kamkar had managed to launch a man-in-the-middle attack against the RemoteLink smartphone app used by owners of GM cars equipped with a system called OnStar.

In this way, Kamkar had found out he could locate, unlock and even remotely start vehicles.

Now, according to a report in Wired, that a host of similar systems used by other car manufacturers are vulnerable to similar attacks:

Over the last week, Kamkar has analyzed the iOS apps of BMW’s Remote, Mercedes-Benz mbrace, Chrysler Uconnect, and the alarm system Viper’s Smartstart, and found that all of those internet-connected vehicle services are vulnerable to the attack he used to hack GM’s OnStar RemoteLink app.

“If you’re using any of these four apps, I can automatically get all of your log-in information and then indefinitely authenticate as you,” says Kamkar. “These apps give me different levels of control of your car. But they all give me some amount of control.”

I have got used to constantly reporting on companies suffering damaging data breaches which expose the private information of their customers. It seems that I’m more and more hearing about car manufacturers suffering from serious security vulnerabilities too.

Heaven help us as the internet of things continues its steady expansion, with so little thought as to privacy and security.

Sign up to our free newsletter.
Security news, advice, and tips.

At least in this case one hopes that any vulnerabilities can be fixed by issuing a patched version of the affected iOS apps to at-risk car owners.

You can read the full story at Wired, and about Samy Kamkar’s successful hack of GM cars here.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

8 comments on “Your BMW or Merc may also be at risk of being hacked, because of your iOS app”

  1. Simon

    I'm glad I have a car without these smarts…

    Seems a lot more emphasis needs be done towards securing these mechanisms. I wouldn’t be surprised of other cars are vulnerable to the same/similar flaws…

  2. Jon

    And manfacturers are even now ploughing on into the Brave New World of driverless automitive technology. In a few years time, your insurance premiums could very well be based on how easy is your car to hack.

  3. mark jacobs

    Is it just me, or does it seem reasonable that YOU DO NOT WANT TO PUT YOUR CAR ENGINE'S CONTROL SYSTEMS ON THE INTERNET? It just seems like common sense to me, but we should not be wifi-enabling life-or-death instrumentation. I would hate to see a wifi-enabled pacemaker come out, and then see subsequent headlines appear of wearers dying from being drive-by hacked!

    1. Coyote · in reply to mark jacobs

      It isn't just you. But yet there is a growing fascination for the IoT but it is pure stupidity. That's the nicest I can put it. I've written about this for some years but the masses just don't get why it is such a bad idea to have cars (and other heavy machinery) connected to a network (or otherwise not in the control of the driver – and only their control [or I suppose with planes the pilot and co-pilot]).

    2. 4sash · in reply to mark jacobs

      That day is already here. Google "pacemaker hacking" or "pacemaker security flaws" and you will see that ICDs (cardioverter defribillator) can be commanded to give a lethal shock from a distance of 50 feet. The security is very poor in those devices. It was designed to be convenient for health care providers to adjust settings etc. without opening up the patient, but surely they could have added at least 2 layers (to and from) of firewall and/or password protection! Backdoors (needed during emergency) can be hidden and access limited to healthcare providers. With so many routers and public WiFi's around, 50 ft is all a random trigger happy psychotic person needs.
      PS: I have devices inside my body, but fortunately they are mechanical :-)

  4. Pete

    Lesson: "Smart" car = stupid idea.

    1. Simon · in reply to Pete

      Agreed, but the sentiments of a few are no match for the 'scary' evolution of what the automotive industry are gravitating towards…

      I envision self-driving vehicles in logistics will slowly replace truck drivers.

      Imagine the impact this'll cause. Not just for those that do this for a living, but those who depend on their employment.
      The domino affect will likely stem to those servicing these truckies in far/remote locations.
      A good sum of business are from those behind the wheel wanting a meal, refill, etc…
      Compounding the fact that the service industry also have dependencies/mouths to feed…

      Once regulations cave in and approve driveless vehicles, it'll be interesting times thereafter…

  5. Mike Sangha

    Most cars on the road today – and not carrying "antique" license plates in the USA – are computers. The average car has 100 million lines of code!! You cannot have that amount of code and not have bugs. This blogger is right ( we don't drive cars, we drive computers! The horses are out of the barn. If you think this is bad, wait till IoT is a full blown phenomenon.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.