Can A Hacker’s Device Control GM Cars With OnStar System?

Security researcher and freelance developer Samy Kamkar posted a YouTube video of a device called OwnStar, which he claims enables him to monitor and intercept communications between General Motors’ OnStar RemoteLink app and any OnStar-equipped car.

The concerning news is that the hack is real. GM worked quickly to issue a fix, but Kamkar discovered the fix was incomplete, a fact that GM subsequently confirmed. Now, an app update for the iOS platform has been released that is said to completely fix the issue.

By using the OwnStar device, Kamkar was able to issue commands through OnStar’s RemoteLink app to any of GM’s compatible cars. In the video, Kamkar was able to act as if he owned the car that he was controlling, finding its exact location, unlocking the doors and even starting the engine. He says the security flaw lies in the mobile software. Considering the fact that the OnStar in-vehicle system is available in more than 30 GM vehicles, Kamkar’s hack comes as yet another reminder the road to fully connected cars is proving to be a bumpy one.

“GM takes matters that affect our customers’ safety and security very seriously,” wrote General Motors in a statement. “GM product cybersecurity representatives have reviewed the potential vulnerability recently identified. In working with the researcher, we moved quickly to secure our back-office system and reduce risk. However, further action is necessary on the RemoteLink app itself. We take all cyber matters seriously and an enhanced RemoteLink app will also be made available in app stores soon to fully mitigate the risk.”

GM is obviously taking the situation very seriously, but perhaps the hack isn’t quite as bad as it initially appears. Kamkar wasn’t able to drive off in the car without the key, and cars that have been started remotely automatically shut off in 10 minutes if they haven’t been driven away. At the same time, the idea that a hacker could be tracing a car’s location and unlocking its doors is obviously extremely disconcerting, and hacks such as this certainly make it more difficult to convince consumers that fully connected cars are safe from remote intruders.

Kamkar hasn’t yet released the full details of the OwnStar hack and is expected to tell the whole story at the upcoming annual Defcon hacker conference in Las Vegas. He claims that if a hacker can plant a cheap, homemade Wi-Fi hot spot device somewhere on a car’s body, such as under a bumper or its chassis, to capture commands sent from the user’s smartphone, the results for vulnerable vehicle owners could range from pranks to privacy breaches to actual theft.

“If I can intercept that communication, I can take full control and behave as the user indefinitely,” said Kamkar. “From then on I can geolocate your car, go up to it and unlock it, and use all the functionalities that the RemoteLink software offers.”

For GM dealership employees, it’s important to continue to watch this story closely as it develops. At this point, GM seems confident their fix has eliminated the security risk in the OnStar system, but the situation could certainly change as Kamkar reveals the full abilities of his invention.