If you’re the owner of a GM vehicle equipped with the OnStar system that is supposed to “keep you safe, connected and ready for the road ahead”, then there is a new security concern which you need to know about.
Security researcher Samy Kamkar has found a way of launching a man-in-the-middle attack that can steal OnStar account information. After intercepting communications between a smartphone running the OnStar RemoteLink app and the OnStar servers, Kamkar is able to locate, unlock and remote start vehicles.
Kamkar’s homemade video shows you the hack in action, using a small $100 box of electronics that incorporates a Raspberry Pi microcomputer creating a small WiFi network. Kamkar has wryly dubbed the gadget, “OwnStar”.
Kamkar says that the vulnerability lies not in the cars but instead in the smartphone app, which is failing to take adequate security measures when communicating with the OnStar servers.
As a consequence, as Wired reports, once Kamkar’s box of tricks has stolen credentials from the car owner’s app they can be attacked in a number of ways:
With the user’s RemoteLink login credentials, Kamkar says a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. From across the Internet, they can start the vehicle’s ignition to drain its gas or fill a garage with carbon monoxide, or use its horn and alarm to create mayhem. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.
Kamkar will be demonstrating the attack, and discussing other aspects of car hacking, at next week’s DEF CON hacker conference.
News of Kamkar’s research comes soon after the (somewhat more sinister) demo which saw a Jeep’s entertainment system, engine and brakes interfered with by security researchers sat 10 miles away, while it was being driven down a busy highway at 70mph.
That vulnerability requires car owners to either take their vehicle back to the dealer, or to apply a patch via a USB stick. In the case on OnStar it sounds as if a security update to the OnStar RemoteLink app for Android and iOS will be enough.
Nonetheless, you really have to wonder whether manufacturers are racing to connect their vehicles to the internet at a hazardous speed – when they should really be applying the brakes until they have a proper handle on security.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
4 comments on “How to hack, track and unlock a GM car via OnStar”
"From across the Internet, they can start the vehicle’s ignition to drain its gas or fill a garage with carbon monoxide" is factually inaccurate. You can't run the car indefinitely this way.
I'm CURRENTLY LiviNG A NIGHTMARE DUE TO SOME HACKERS THAT HAVE MADE MY LIFE MISERABLE FOR THE LAST MONTH. I HAVE AN ONSTAr SYSTEM ON MY 2007 BUICK LUCERNE AND EVER SINCE THEY STARTED MESSING WITH MY CAR iTS BEEN FRUSTRATING. SENDING FALSE REPORTS OF TIRE PRESSURE low, MY GAS, they GOTTEN INSIDE THE VEHICLE AND DIRTY IT. ITS TOO MUCH. I ant to know what I can do stop this. This is a preowned vehicle. I'm subscribed to OnStar. Thank you.
I have the same problem guys hacked my phone , had the onstar app now even my car is hacked, the police won't help the FBI is not accessible you can't get in where they have the offices I'm livid we are so powerless to do anything, and there is no one to turn to!!
I think if you own ur car you shoul have to depend of anybody else to do things in your car. OnStar is a joke to still your money , advisors do nothing for you.
You can open your car and start with your phone ? Why they have to control ur car if you are the one who pay for it.