Samy Kamkar is at it again and this time he is leaving no car left unturned. Or unhacked in this case. Following on his warning that GM‘s OnStar computer system is not the only one that’s prone to getting infiltrated, the hacker has proved that other car maker’s Internet-based remote control systems are equally susceptible. The list has now grown to include BMW‘s Remote, Mercedes-Benz‘ mbrace, and Chrysler‘s Uconnect, allowing hackers to unlock and track a wide range of “smart” cars that are growing in number and popularity.
Late last month, Kamkar demoed his homemade $100 box called OwnStar as a proof of concept of how it was possible to intercept communication between a GM OnStar-enabled vehicle and the company’s servers. Once the necessary credentials have been pilfered, the hacker basically has access to basic functionality like unlocking GM cars, track them, and even start the engine, though they can’t drive off with them.
It turns out that the same vulnerability in GM’s RemoteLink mobile app is also present on other car maker’s iOS apps as well. It is the exact same vulnerability, which means Kamkar can use his OwnStar to spoof BMW, Mercedes-Benz, and Chrysler cars, get the user’s credentials, and exercise some control over them. Admittedly, the different cars have different exposed functionality, so the effects vary from car maker to car maker.
Unlike the GM hack, however, Kamkar’s findings still live in the realm of possibility, having not yet been tested on actual production vehicles. Kamkar is withholding from releasing his findings and code to the public to give the car makers time to respond and patch their apps if needed.
The response of the car makers are interesting as well. GM acted swiftly and patched its RemoteLink mobile app. Mercedes-Benz said it doesn’t engage in potential hacks that have very little chance of happening in reality. BMW claims that it uses the same industry-standard security that online banking apps use and adds that a man-in-the-middle hack that Kamkar proposes is virtually impossible. Chrysler’s parent company even goes as far as subtly taking issue with Kamkar’s “irresponsible disclosure” of knowledge that could help criminals. In the same breath, it says that there has been no real world incident of unlawful remote hacking into any Chrysler vehicle. An amusing claim considering it just recently recalled over a million 2014 Jeep Cherokees over a proven hacking vulnerability.