The Strategist

Samy Kamkar exposes a vulnerability in GM’s OnStar-equipped vehicles

07/31/2015 - 11:12

Samy Kamkar, a security researcher, has exposed a vulnerability in GM’s OnStar equipped vehicle, which although GM was quick to patch, but, as per Kamkar, the patch did not work, and the fault remains.

It would seem that General Motors is just not able to fix software bugs related to its new age cars. Just last week, Chrysler had recalled 1.4 million vehicles after security researchers exposed vulnerabilities in its vehicles. Once again, security researchers have brought to light a vulnerability with its OnStar equipped vehicles. Although General Motors was quick to respond with a fix, however as per Samy Kamkar, a security researcher, says the fix does not work and that the problem still exists.
So as to highlight the issue Samy Kamkar posted a video on YouTube with a device, aptly named ‘OwnStar’. He claims with the help of this device, one can monitor and intercept communications between GM’s OnStar RemoteLink app and any OnStar-equipped car.
The problem highlighted by the video is very real. Although GM was quick to issue a fix, unfortunately that supposed ‘fix’ did not do its job, as Kamkar discovered. General Motors has confirmed that Onstar-equipped cars are still vulnerable to this exploit.
Thanks to the OwnStar device, one can remotely issue commands through OnStar’s RemoteLink App and remotely control many features of the car such as the locking of doors, turning on the lights, etc. These can be done to any of GM’s OnStar-equipped car.
For the know-nots, OnStar is a in-vehicle system that provides a host of services, including hands free calling, turn by turn navigation, and some more. General Motors has equipped this feature on more than 30 models of its vehicles.
In the video, Kamkar demonstrates that although he did not own the vehicle, he could locate the exact position of the car, unlock its doors and even start its engine.
This is yet another reminder that the road ahead for fully connected cars is likely to be a bumpy one. Last week, saw the emergence of the Chrysler Hacks, which again demonstrated this fact that although auto manufacturers are racing ahead to outfit their cars with technology and the internet, it essentially makes the vehicle a part of Internet of Things. Unless secured, this essentially makes them targets for easy hacks but with greater consequences.
Although, this new unpatched vulnerability sounds scary it is not as bad as it sounds. For example, Kamkar could not drive off with the vehicle without the keys to the vehicle. Further cars which have been remotely started will automatically switch off within 10 minutes if they have not been driven away. The threats are very real they are not as bad as they sound, although they are rather disconcerting to say the least.
Meanwhile, GM has reported that it is working on a subsequent fix that will hopefully patch up the hack. The timeframe for the final patch is “soon”. It has come out with the following statement:
“GM takes matters that affect our customers' safety and security very seriously. GM product cybersecurity representatives have reviewed the potential vulnerability recently identified. In working with the researcher, we moved quickly to secure our back-office system and reduce risk. However, further action is necessary on the RemoteLink app itself. We take all cyber matters seriously and an enhanced RemoteLink app will also be made available in app stores soon to fully mitigate the risk.”