OnStar exploit gives hackers access to car engine, locks

GM’s OnStar system is supposed to make being behind the wheel easier, but a hacker has found a flaw that could cause chaos for millions of drivers.

Security researcher Samy Kamkar said he’s been able to remotely start car engines and operate other vehicle features from afar, releasing a proof-of-concept video of his research Thursday showing how a homemade computer device composed of a Wi-Fi hotspot and about $100 in parts can give hackers control over cars equipped with OnStar.

The exploit requires his “OwnStar” device to be physically installed on the targeted vehicle. Once up and running, however, it allows a hacker anywhere in the world to unlock doors, honk the horn or locate the car at its precise location.

In his YouTube video, Mr. Kamkar said OwnStar attempts to trick the car’s onboard system into connecting to a malicious Wi-Fi network. If the connection is successfully established, the car will then send sensitive user data over that network with the intent of supplying OnStar with second-by-second navigational details, the likes of which in actuality ends up in the hands of the hacker.

“After a user opens the RemoteLink mobile app on their phone near my OwnStar device, OwnStar intercepts the communications and sends specially crafted packets to the mobile device to acquire additional credentials then notifies me, the attacker, about the vehicle that I indefinitely have access to, including its location, make, and model,” he explained in the clip.

By disguising the name of the malicious network running inside the OwnStar box to something innocent-looking like “attwifi,” the free Wi-Fi account often available at Starbucks, a hacker has better odds of tricking a phone with RemoteLink into automatically connecting. According to OnStar’s website, the smartphone app has been installed more than 3 million times.

Mr. Kamkar plans to release further information about the hack during DefCon, an annual security conference slated to begin next week in Las Vegas.

GM spokesman Terrence Rhadigan confirmed the vulnerability to Reuters and said a fix would soon be released. On Thursday afternoon, however, Mr. Kamkar wrote on Twitter that the issue had yet to be resolved.

“We believe the chances of replicating this demonstration in the real world are unlikely. In addition, the action involves one user at a time, and would impact only that specific user’s account,” the spokesperson said.

Mr. Kamkar’s exploit is the second in as many weeks with regards to commandeering Internet-connected automobiles. Last week, researchers Charlie Miller and Chris Valasek disclosed details concerning a flaw with the onboard entertainment system in new Jeep Cherokees, the likes of which they had been able to exploit to assume control over a compromised car’s steering, brakes and acceleration.

Fiat Chrysler called the researcher’s’ work “criminal” and had to recall roughly 1.4 million vehicles. They too will release further details at DefCon next week.