GM Fixes OnStar Vulnerability

Monday, August 3, 2015 @ 03:08 PM gHale

First it was Fiat Chrysler fixing hackable automobile systems, now GM cleaned up its OnStar portal.

GM went to work on the problem, discovered by security researcher Samy Kamkar, but as it turned out the fix was not a complete remedy. GM went back and now an app update for the iOS platform released that fixes the issue.

Chrysler Updates 1.4 Million Vehicles
Fiat Fixes Auto Remote Exploit
Siemens Fixes SIPROTEC DoS Vulnerability
Sm@rtClient Android Vulnerability Fixed

Kamkar posted a video of a device called OwnStar, which he said enabled him to monitor and intercept communications between General Motors’ OnStar RemoteLink app and any OnStar-equipped car.

With his device, Kamkar was able to issue commands through OnStar’s RemoteLink app — which lets drivers control some features of their cars like locking doors and turning on lights with a mobile device — to any of GM’s compatible cars.

OnStar, an in-vehicle system that provides security services, hands free calling, turn-by-turn navigation and more, is available in more than 30 GM vehicles. Kamkar was able to act as if he owned the car in the video, finding its location, unlocking the doors and even starting the engine.

Automakers and other tech firms are racing to outfit cars with more technology, especially ones that connect them via the Internet. Cars are no longer “air gapped” systems, rather, they are part of the Internet of Things, connecting to various points over the Internet. While there are some pretty solid reasons for doing that, it can also leave an auto as vulnerable as your computer or smartphone to hacks.

Kamkar couldn’t drive off in the car without the key, and cars that start remotely, automatically shut off in 10 minutes if someone doesn’t drive them away.

The hardware used for the OwnStar device appears to be a mixture of an extremely simple computer using Raspberry Pi and some wireless adapters, all tucked into a small protective case.

By Friday, GM issued an update to its iOS app, the only vulnerable platform remaining. The auto giant said all users update their RemoteLink apps as soon as possible.

Click here to view the video.