Friday, July 31, 2015

OwnStar’d! Enterprising Wiz Hacks OnStar to Enable Remote Functions, GM Releases Fix [UPDATED]

OwnStar Box and OnStar App

-

’Tis the season, apparently, to get hacky. In the wake of the Wired story that saw a Jeep Cherokee in a ditch after pair of hackers took control of the ute remotely via a UConnect vulnerability comes the announcement of OwnStar, a little black box that, when attached surreptitiously to a GM OnStar-equipped vehicle, executes a man-in-the-middle attack between that vehicle and the OnStar RemoteLink app. It allows a hacker to enjoy the full suite of RemoteLink capabilities, including unlocking doors, tracking the car’s whereabouts, and starting the vehicle remotely, as illustrated in the video below.

-

According to Samy Kamkar, the creator of OwnStar, the vulnerability doesn’t lie in the vehicles; rather, it’s an exploitable flaw in the RemoteLink app’s code that allows him to take control of the cars. While he’s only experimented on one vehicle—a friend’s Chevrolet Volt—there’s no real reason to suspect that it won’t work with other GM vehicles, given that the problem is on the mobile-device side.

-

Kamkar plans to release full details of the exploit during next month’s annual DefCon security conference in Las Vegas. While GM told Wired that it has relocked the door that Kamkar used to enter, the security analyst tweeted today that he’s still able to take control of OnStar.

--

-
--
-

The hacker says GM has been receptive to his work; we imagine a patch for the exploit will be available by the time Kamkar gives his talk during the conference, which runs August 6 through 9. In the interim, the only sure-fire defense against OwnStar is to give up using the app for the moment. Still, given that we doubt there are a flood of dudes armed with knockoffs of Kamkar’s box named things like “PwnStar”, “Pr0nStar”, and “SausageCastleStar,” you’re still probably all right.

-

UPDATE: It seems GM’s original fix was a back-end patch that closed the hole for Blackberry, Android, and Windows Phone users without the need to update software on owners’ devices, but Kamkar’s exploit still worked on Apple’s iOS. GM notified us via Twitter (presumably to catch our attention on the shared C/D mobile device) that an updated version of the RemoteLink app is now available.

--

-

-

No comments:

Post a Comment