Security Researcher Modifies Device To Hack BMW, Mercedes-Benz and Chrysler Vehicles

Earlier this month, security researcher and NSA Playset contributor Samy Kamkar demonstrated his device’s ability to intercept credentials from the RemoteLink mobile application in GM’s OnStar computer system, thereby allowing an attacker to clone them and use them to track, unlock, and even start a vehicle remotely.

At the recent DEF CON in Las Vegas, Kamkar revealed the details of the attack, noting that the RemoteLink app on iOS devices had failed to properly check the certificate for a secure connection to OnStar’s server or to use a “pinned” certificate hard-coded into the application itself. After the attack, GM quickly resolved the issue with a RemoteLink app update.

Kamkar has now moved on to other targets with his appropriately named “OwnStar” device. He announced he has adapted the tool to target applications for BMW Remote, Mercedes-Benz mbrace, and Chrysler’s Uconnect services on iOS devices. He claims all three have the exact same vulnerability as the RemoteLink app did, writing on Twitter that they have “no pinned cert or even PKI/[certificate authority] validation. Trivial to attack an unadulterated mobile device.”

While GM has since responded to the flaw in its RemoteLink app and has issued patches to fix it, it’s unclear as to what the other companies will be doing. Presumably, they will similarly work as quickly as possible to release a fix to remove the vulnerability in their vehicles’ systems.

The OwnStar device packs all of the components required to execute an attack into a portable case that can be placed near a targeted vehicle. It can capture the login credentials of a car owner using a mobile app to remotely unlock, lock, or start the vehicle, and can then load the data onto a copy of the targeted mobile app on the attacker’s own device, thereby giving the hacker access to execute all of the functions of the telematics system on the targeted car. Kamkar explained the vulnerability is all due to a flaw that is very common on mobile apps, which is the reliance on a remote server’s certificate being valid, regardless of what network the connection is over.

Kamkar says that he’s only tested the attack on the iOS apps and that he has alerted BMW, Mercedes and Chrysler of the vulnerability. He has not yet tested it on actual vehicles, as he doesn’t have permission, but he says that he has intercepted the codes that would let him do so. Kamkar claims that “if you’re using any of these four apps, I can automatically get all of your login information and then indefinitely authenticate as you.” This includes obtaining the car owner’s home address, email address, and even credit card information.

The potential for a hacker to remotely take over control of a car or intercept personal information are two of the biggest concerns for many drivers when it comes to the safety of connected cars and self-driving vehicles, and Kamkar’s ability to compromise the security of major automakers’ computer systems is certain to heighten these worries.

BMW didn’t respond to a request for comment, but a Mercedes-Benz representative wrote in an email to WIRED that “we don’t want to engage in speculation about potential hacks (often the result of extreme manipulation) that have very little likelihood of occurring in the real world and create unnecessary concern.”