OwnStar gadget hacks GM's OnStar to unlock, start cars

As cars get more sophisticated and more connected to the Internet, they also become more vulnerable to malicious attack. That truth has been demonstrated before and will be demonstrated again at the DefCon conference next week. Hacker Samy Kamkar has developed a small box, made from three radios and a Raspberry Pi, which, when within Wi-Fi range, can snoop in on a GM car owner's communication with his GM OnStar, hack into the computer system, and do all sorts of mayhem short of actually driving away with the car.

GM's OnStar service allows users to control their connected car using only their smartphones. The range of capabilities include locating the car, unlocking the doors, and starting the engine. All of those are also available to a hacker once they've sniffed the right credentials from the user. Fortunately, no hacker can change the car's gear and drive away, as GM's cars still require a key to do that. Unfortunately, doing everything else is almost easy.

That said, it's not totally easy. The box, fittingly called OwnStar, has to be placed somewhere on the car or nearby, just within Wi-Fi range. The moment the owner uses his or her smartphone to communicate with the OnStar service online, the hacking gadget can impersonate the server and intercept the user's communication. From there, the hacker can also obtain data found on the OnStar account, including the user's name, email, home address, last four digits of the credit card and its expiration date. The user's private data and control over their car can use those for theft or nuisance.

GM has responded positively to the revelation and has promised that a fix would be coming soon that won't require the user's interaction. At the moment, though, Kamar says that the vulnerability still exists. That said, Kamar was only able to test his OwnStar on a friend's GM Volt but he is confident that since the vulnerability is based on an authentication problem with the OnStar app, any RemoteLink car can be affected.

This, along with recent incidents of car hackings, does bring a spotlight on a growing and worrying trend. As car makers rush to integrate more technological advancements and digital features, they should probably also be more cautious of the potential security issues those could bring.

SOURCE: WIRED