Incident Response, Network Security, TDR, Vulnerability Management

GM says OnStar app flaw fixed, researcher says still exploitable

A security researcher was able to exploit a vulnerability he discovered in GM's OnStar RemoteLink mobile application that lets an attacker identify, locate, unlock and start an OnStar-enabled vehicle.

Samy Kamkar revealed his discovery and demonstrated how a device he built, dubbed OwnStar, can exploit the bug and intercepts requests from a user's mobile app and the OnStar service in a YouTube video Thursday. The device sends special packets to the OnStar network to obtain the vehicle's credentials and gain unauthorized access.

The flaw is located in the app software for RemoteLink, which allows users to access and control certain features and diagnostic information in OnStar-enabled vehicles from their mobile devices. As long as the device is within Wi-Fi range of a user who has the application open, it will automatically gather the information and send a text message to notify that it has gained access.

Kamkar said he reported his findings to GM last week and on Thursday the automaker told Wired that the flaw was fixed. But Kamkar confirmed to that as of that same afternoon he could still successfully exploit the vulnerability.

Kamkar added that these types of problems aren't unique to GM. Last week researchers disclosed a vulnerability in the UConnect software used in Fiat Chrysler vehicles that, if successfully exploited, could allow attackers to remotely control an affected vehicle. The disclosure resulted in the recall of about 1.4 million vehicles.

“In general, I think anyone building connected devices should be more careful,” Kamkar said. “Most connected devices we have will be vulnerable and larger companies need to pay more attention to security.”

Kamkar recommended that users not open the RemoteLink app until the flaw had been successfully patched. The researcher will give a presentation on the exploit and his device, as well as other vulnerabilities he found, at the DEF CON 2015 conference in Las Vegas in August.

UPDATE: Kamkar announced on Twitter, this Saturday that he has redesigned Ownstar to unlock the doors and attack BMW Remote, Mercedes-Benz mbrace, and Chrysler's Uconnect, and Viper SmartStart. He told ARS Tehnica that all the systems have the same vulnerability, a lack of certificate validation. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.