Samy Kamkar stands next to a Chevy Volt that he used to demonstrate how he could hack into the GM's OnStar mobile app in order to unlock and start the car. Credit: Samy Kamkar
A security researcher has posted a video on YouTube demonstrating how a device he made can intercept wireless communications to locate, unlock and remotely start GM vehicles that use the OnStar RemoteLink mobile app.
Samy Kamkar, who refers to himself as a hacker and whistleblower, posted the video today showing him using a device he calls OwnStar. The device, he said, intercepts communications between GM's OnStar RemoteLink mobile app and the OnStar cloud service.
The hack comes on the heels of another vehicle-related security breach that proved Fiats and Chryslers with early model versions of the UConnect Infotainment system could be broken into electronically, and the UConnect system used to control vital vehicle functions. Those hackers were able to control vehicle acceleration, braking and ignition systems, among others.
After the hack was made public, Fiat Chrysler Automobiles (FCA) issued a recall notice for 1.4 million vehicles in order to fix a software hole that allowed hackers to wirelessly break into some vehicles and electronically control vital functions.
The National Highway Safety Administration also plans to look into the matter and two U.S. senators also called for an investigation into Chrysler's handling of the recall, which they said came nine months after the company knew about the security flaw.
OnStar is GM's subscription-based, in-vehicle service that provides vehicle security, hands free calling, turn-by-turn navigation and remote diagnostics.
RemoteLink, for its part, is GM's OnStar mobile app that allows users to unlock and remote-start their vehicles from almost anywhere. The app also can turn on headlights, sound the horn and manage an equipped vehicle's Wi-Fi hotspot.
Kamkar said that after a user opens the OnStar Remote Link app on his or her mobile phone "near the OwnStar device," OwnStar intercepts the communication and sends "specially crafted" data packets to the mobile device to acquire additional credentials. The OwnStar device then notifies the attacker about the new vehicle that the hacker has access to for an indefinite period of time, including its location, make and model. And at that point, the hacker can use the Remote Link app to control the vehicle.
"Fortunately, the issue lies in the mobile software and is not a problem with the vehicles themselves," Kamkar said. "GM and OnStar have so far been receptive to me and are already working quickly on a resolution to protect consumers."
Until GM provides a software patch, Kamkar suggested that OnStar vehicle owners not open the RemoteLink app.
Sign up for CIO Asia eNewsletters.