Sammy Kamkar built a small device about the size of a router that he calls, a bit cheekily, “OwnStar.” It’s designed to break into the OnStar system and do anything one of its operators can do, including remotely track a car, lock or unlock doors, or start the engine, according to Wired.
Kamkar reported the issue to GM before the Wired story was published, and plans to reveal full details of the hack during the DefCon conference next week. The carmaker claims to have already fixed the problem by instituting stronger certificate controls at the servers that control the OnStar RemoteLink remote-access app.
OwnStar relies on this smartphone app, which sends signals to a car’s onboard computers. The device must be positioned somewhere on the car itself, close enough to intercept these signals. It then poses as the car’s actual systems, and harvests the car owner’s credentials. A hacker can use those credentials to mimic the app, and give remote commands to the car.
This was possible because the OnStar app wasn’t originally programmed to check for fake encryption certificates, something GM claims to have corrected in its recent update. Unlike with the Chrysler vulnerability exposed by researchers Chris Valasek and Charlie Miller, this was done through the OnStar system’s servers, so owners won’t have to take any action.
However, Kamkar isn’t convinced that the problem has been fixed. Yesterday, he tweeted that the issue is “not actually resolved yet.” He said he had spoken to GM, and was told the company was working on a final fix.
Earlier this week, GM announced that it had surpassed 1 billion OnStar customer interactions, including those using the app, phone calls, and in-vehicle interfaces. It says about 8.8 million of those interactions were done through the app, and claims to have over 7 million OnStar subscribers right now.
