’Tis the season, apparently, to get hacky. In the wake of the Wired story that saw a Jeep Cherokee in a ditch after pair of hackers took control of the ute remotely via a UConnect vulnerability comes the announcement of OwnStar, a little black box that executes a man-in-the-middle attack between GM OnStar-equipped vehicles and the OnStar RemoteLink app, allowing a hacker to enjoy the full suite of RemoteLink capabilities. This includes unlocking doors, tracking the car’s whereabouts, and starting the vehicle remotely, as illustrated in the video below.
-According to Samy Kamkar, the creator of OwnStar, the vulnerability doesn’t lie in the vehicles; rather, it’s an exploitable flaw in the RemoteLink app’s code that allows him to take control of the cars. While he’s only experimented on one vehicle—a friend’s Chevrolet Volt—there’s no real reason to suspect that it won’t work with other GM vehicles, given that the problem is on the mobile-device side.
-Kamkar plans to release full details of the exploit during next month’s annual DefCon security conference in Las Vegas. While GM told Wired that it has relocked the door that Kamkar used to enter, the security analyst tweeted today that he’s still able to take control of OnStar.
-- -OwnStar update: GM told WIRED that OnStar bug was fixed, however it's not actually resolved yet. I spoke with GM & they're working on it now
-— Samy Kamkar (@samykamkar) July 30, 2015
-
- -
- Why the Recent Jeep Cherokee Hack is Not Cause for Panic
- -
- Chevrolet to Use Magic Hoodoo to Deliver Prognostic Vehicle Data to Owners
- -
- OnStar Wants to Share Your Driving Habits With Insurers
- -
-
The hacker says GM has been receptive to his work; we imagine a patch for the exploit will be available by the time Kamkar gives his talk during the conference, which runs August 6 through 9. In the interim, the only sure-fire defense against OwnStar is to give up using the app for the moment. Still, given that we doubt there are a flood of dudes armed with knockoffs of Kamkar’s box named things like “PwnStar”, “Pr0nStar”, and “SausageCastleStar,” you’re still probably all right.
- -from Car and Driver Blog http://ift.tt/1fMnMvi
via Agya