Security researcher Samy Kamkar has found a way of launching a man-in-the-middle attack that can steal OnStar account information. After intercepting communications between a smartphone running the OnStar RemoteLink app and the OnStar servers, Kamkar is able to locate, unlock and remote start vehicles.
Kamkar’s homemade video shows you the hack in action, using a small $100 box of electronics that incorporates a Raspberry Pi microcomputer creating a small WiFi network. Kamkar has wryly dubbed the gadget, “OwnStar”.
Kamkar says that the vulnerability lies not in the cars but instead in the smartphone app, which is failing to take adequate security measures when communicating with the OnStar servers.
As a consequence, as Wired reports, once Kamkar’s box of tricks has stolen credentials from the car owner’s app they can be attacked in a number of ways:
With the user’s RemoteLink login credentials, Kamkar says a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. From across the Internet, they can start the vehicle’s ignition to drain its gas or fill a garage with carbon monoxide, or use its horn and alarm to create mayhem. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.
Kamkar will be demonstrating the attack, and discussing other aspects of car hacking, at next week’s DEF CON hacker conference.
News of Kamkar’s research comes soon after the (somewhat more sinister) demo which saw a Jeep’s entertainment system, engine and brakes interfered with by security researchers sat 10 miles away, while it was being driven down a busy highway at 70mph.
That vulnerability requires car owners to either take their vehicle back to the dealer, or to apply a patch via a USB stick. In the case on OnStar it sounds as if a security update to the OnStar RemoteLink app for Android and iOS will be enough.
Nonetheless, you really have to wonder whether manufacturers are racing to connect their vehicles to the internet at a hazardous speed – when they should really be applying the brakes until they have a proper handle on security.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.