Update 7/30/2015 3:00pm EST: GM tells WIRED that it has now fixed the vulnerability that Kamkar’s proof-of-concept device exploited, with no action necessary for OnStar users. Kamkar says the problem is not yet resolved, however, and has been told by GM that the company is still working on it.
GM’s Onstar service offers some of the most futuristic features on any connected car, including the ability to locate the vehicle, unlock it, and even start its ignition—all from a smartphone app. But if a hacker like Samy Kamkar has hidden a small, $100 box anywhere on your Onstar-equipped car or truck, those same conveniences could fall into unintended hands.
At the DefCon hacker conference next week, Kamkar plans to present the details of a new attack on GM’s OnStar RemoteLink system he’s developed that can allow a hacker to track a target vehicle, effortlessly unlock it, trigger the horn and alarm or even start its engine—everything but put the car in gear and drive it away, one function that thankfully still requires the presence of the driver’s key. Kamkar’s shown that if a hacker can plant a cheap, homemade Wi-Fi hotspot device somewhere on the car’s body—such as under a bumper or its chassis—to capture commands sent from the user’s smartphone, the results for vulnerable vehicle owners could range from nasty pranks to privacy breaches to actual theft.
“If I can intercept that communication, I can take full control and behave as the user indefinitely,” says Kamkar, a well-known security researcher and freelance developer. “From then on I can geolocate your car, go up to it and unlock it, and use all the functionalities that the RemoteLink software offers.”
When the driver comes within Wi-Fi range of Kamkar’s $100 contraption, which he’s named “OwnStar” in a reference for the hacker jargon to “own” or control a system, it impersonates a familiar Wi-Fi network to trick the user’s phone into silently connecting. (Modern smartphones constantly probe for known networks, so the trade-paperback-sized box, packed with three radios and a Raspberry Pi computer, can listen for and then impersonate a friendly network, or by default call itself “attwifi” to appear as a common Starbucks connection.) If the user launches their GM RemoteLink Android or iOS app while their phone’s within Wi-fi range and unwittingly connected, OwnStar is designed to exploit a vulnerability in GM’s app to steal the user’s credentials and send that data over a 2G cellular connection to the hacker. “As soon as you’re on my network and you open the app, I’ve taken over,” Kamkar says.
With the user’s RemoteLink login credentials, Kamkar says a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. From across the Internet, they can start the vehicle’s ignition, or use its horn and alarm to create mayhem. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account. Kamkar demonstrates parts of the attack in the video above, in which he tested the attack on a friend’s 2013 Chevy Volt.1
Kamkar cautions that he’s only tried his OwnStar attack on that friend’s Volt. But he believes the hack likely works with any RemoteLink-enabled vehicle: It takes advantage of an authentication problem in the OnStar smartphone app, not a vulnerability specific to any vehicle. And that app has been installed on at least a million Android devices alone according to the count of Google’s Play store. Although the app does use SSL encryption, Kamkar says it doesn’t properly check the certificate that ensures the user’s phone is communicating only with the OnStar server. That means the OwnStar device can perform a “man-in-the-middle” attack, impersonating the server to intercept all the user’s data. Kamkar says he’s contacted GM Onstar to help the company fix the problem, which he believes could be achieved through a simple update of its RemoteLink app, and had an initial conversation with the company’s security team Wednesday.
In a statement to WIRED, a GM representative confirmed that the company is working on a patch for Kamkar’s hack. “Our customers’ safety and security is paramount and we are taking a multi-faceted approach to secure in-vehicle and connected vehicle systems, monitor and detect cybersecurity threats, and design vehicle systems that can be updated with enhanced security as these potential threats arise,” writes GM spokesperson Renee Rashid-Merem. “GM Product Cybersecurity representatives have reviewed the potential vulnerability recently identified by Mr. Kamkar, and an immediate fix is being implemented to address this concern.”
We need to start paying attention to this, or cars will continue to get owned. Samy Kamkar
Kamkar’s goal isn’t to use his attack to help thieves steal the contents of cars or unleash a remote honking-hack epidemic on GM vehicles. Instead, he says his research is intended to draw attention to the larger problem of cars being vulnerable to digital attackers—along with other devices in the so-called “internet of things”—as they’re increasingly computerized and networked. “I do play Grand Theft Auto a lot, but my motivation isn’t to steal cars,” says Kamkar. “I want to point out the lack of security here and the fact we need to pay more attention as we make more devices connected and quote ‘smart.’ The proof of concept is to show that it’s reasonably trivial for someone in my industry to do this.”
Car hacking in particular seems likely to dominate this year’s Black Hat and DefCon hacker conferences, where much of the most interesting security research of the year is unveiled. Already, researchers Charlie Miller and Chris Valasek have demonstrated to WIRED that they could wirelessly hack a Jeep or any of hundreds of thousands of Chrysler vehicles over the Internet to control steering, brakes and transmission. That hacker exploit, which led to a 1.4 million vehicle recall, took advantage of a flaw in the Uconnect feature in Chrysler vehicles’ dashboards. Kamkar’s hack shows that the same connected features in other vehicles likely have their own vulnerabilities. “We need to start paying attention to this, or cars will continue to get owned,” he says.
In fact, Kamkar, a serial hacker who has recently revealed hacks for garage doors, combination locks and drones, also plans to reveal a second set of security vulnerabilities in cars’ digital key systems. He’s holding the details of those techniques until his DefCon talk. Before focusing on GM OnStar, he adds that he had found yet another vulnerable automobile system that he had planned to speak about, but the company responsible for the flaws fixed them without his help. (Kamkar declined to reveal any more about that aborted research.)
The fact that Kamkar was able to switch his focus to GM OnStar and within weeks find another gaping vulnerability shows how bountiful the flaws in cars’ internet security have become, Kamkar says. “It’s a wide-open field…the carmakers are new to this,” he says. “If you continue to look at other cars or really anything in the Internet of things, you’re going to continue to see massive issues.”
1Correction 7/30/2015 11:30am EST: An earlier version of this story said that the remote ignition could be used to drain the gas or fill a garage with carbon monoxide, but a GM spokesperson pointed out that the remote ignition only allows the engine to run briefly and doesn’t respond to repeated uses without the key present.