Researcher says he can hack GM's OnStar app, open vehicle, start engine
07-30-2015, 02:38 PM
#1
Race Director
Thread Starter
Member Since: Aug 1999
Location: Bluffton SC via Canton Oh
Posts: 11,330
Received 1,974 Likes
on
1,140 Posts
Researcher says he can hack GM's OnStar app, open vehicle, start engine
I really do not have any use for onstar. Frankly never use it. Did not even want to turn it on last week but the dealer says if I don't it costs him $100.
Now this:
http://www.wired.com/2015/07/gadget-...-unlock-start/
I'm not worried about this because as soon as the 6 month trial is up I'm done but if it where not for the $100 I would have never turned it on.
Now this:
http://www.wired.com/2015/07/gadget-...-unlock-start/
I'm not worried about this because as soon as the 6 month trial is up I'm done but if it where not for the $100 I would have never turned it on.
07-30-2015, 03:05 PM
#2
Advanced
Researcher says can hack GM's OnStar app, open vehicle, start engine
Researcher says can hack GM's OnStar app, open vehicle, start engine
BY Reuters
— 2:16 PM ET 07/30/2015
By Jim Finkle and Bernie Woodall
BOSTON/DETROIT, July 30 (Reuters) - A researcher is advising drivers to halt the use of a mobile app for General Motors Co's ( GM
Loading... Loading...
) OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to remotely unlock cars and start engines.
"White-hat" hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to "locate, unlock and remote-start" vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service.
Kamkar said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities.
Kamkar released the video a week after Fiat Chrysler Automobiles recalled some 1.4 million vehicles after hacking experts demonstrated a more serious vulnerability in the Jeep Cherokee. That bug allowed them to gain remote control of a Jeep traveling at 70 miles per hour on a public highway.
GM said its engineers had reviewed Kamkar's research. "A fix has already been implemented," the company said in a statement.
Kamkar said he discussed the fix with representatives from GM, but their efforts failed to thwart the attack method he uncovered, which uses a device he built and dubbed 'OwnStar.'"
"They have not yet fixed the bug that 'OwnStar' is exploiting," he told Reuters.
Representatives with GM did not immediately respond to requests for comment on the status of the bug or fix.
The 'OwnStar' issue drew the attention of U.S. safety regulators from the National Highway Traffic Safety Administration.
Representatives from the agency discussed the issue with GM, said the flaw could involve doors and engine start-stop, but does not involve other critical safety systems, according to a person familiar with those discussions.
More than 3 million people have downloaded the OnStar RemoteLink mobile app for Apple ( AAPL
Loading... Loading...
) iOS and Google Inc devices, according to OnStar's website. (Reporting by Bernie Woodall in Detroit and Jim Finkle in Boston; Editing by Jonathan Oatis and Jeffrey Benkoe)
BY Reuters
— 2:16 PM ET 07/30/2015
By Jim Finkle and Bernie Woodall
BOSTON/DETROIT, July 30 (Reuters) - A researcher is advising drivers to halt the use of a mobile app for General Motors Co's ( GM
Loading... Loading...
) OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to remotely unlock cars and start engines.
"White-hat" hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to "locate, unlock and remote-start" vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service.
Kamkar said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities.
Kamkar released the video a week after Fiat Chrysler Automobiles recalled some 1.4 million vehicles after hacking experts demonstrated a more serious vulnerability in the Jeep Cherokee. That bug allowed them to gain remote control of a Jeep traveling at 70 miles per hour on a public highway.
GM said its engineers had reviewed Kamkar's research. "A fix has already been implemented," the company said in a statement.
Kamkar said he discussed the fix with representatives from GM, but their efforts failed to thwart the attack method he uncovered, which uses a device he built and dubbed 'OwnStar.'"
"They have not yet fixed the bug that 'OwnStar' is exploiting," he told Reuters.
Representatives with GM did not immediately respond to requests for comment on the status of the bug or fix.
The 'OwnStar' issue drew the attention of U.S. safety regulators from the National Highway Traffic Safety Administration.
Representatives from the agency discussed the issue with GM, said the flaw could involve doors and engine start-stop, but does not involve other critical safety systems, according to a person familiar with those discussions.
More than 3 million people have downloaded the OnStar RemoteLink mobile app for Apple ( AAPL
Loading... Loading...
) iOS and Google Inc devices, according to OnStar's website. (Reporting by Bernie Woodall in Detroit and Jim Finkle in Boston; Editing by Jonathan Oatis and Jeffrey Benkoe)
07-30-2015, 04:21 PM
#3
Le Mans Master
Member Since: Jan 2006
Location: Down south in Dixie
Posts: 6,801
Received 2,639 Likes
on
1,702 Posts
Delete the app from your phone. Fixed it.......
07-30-2015, 06:09 PM
#4
Delete from phone? I truthfully do not understand.
I have been told by salespersons that dealers get $100 whenever OnStar is activated on their watch. For the record, I am the foremost proponent of OnStar that ever existed if you do not count the entirety of the human race.
In the past I have practiced being a bully to keep OnStar not activated, but I am not sure that is the right choice, on the other hand I do not know what else could be done other than allowing OnStar to be activated and later not renewing.
As a side note, OnStar is General Motors biggest profit center. Not that that has anything to do with this discussion.
Laborsmith
I have been told by salespersons that dealers get $100 whenever OnStar is activated on their watch. For the record, I am the foremost proponent of OnStar that ever existed if you do not count the entirety of the human race.
In the past I have practiced being a bully to keep OnStar not activated, but I am not sure that is the right choice, on the other hand I do not know what else could be done other than allowing OnStar to be activated and later not renewing.
As a side note, OnStar is General Motors biggest profit center. Not that that has anything to do with this discussion.
Laborsmith
07-30-2015, 07:18 PM
#6
Racer
Kamkar's article in Wired does not add up. When you use your OnStar mobile app, lets say to start your car, I beleive that your OnStar app calls an OnStar backoffice and the backoffice calls your vehicle and issues a command to start. Kamkar has stated that his black box named, OwnStar, is just a Wifi hot spot. How does Wifi radio mix it up with cellular phone radio? Maybe he is just trying to throw us off. I would think that a black box would have a cellular radio with software that could perform a replay attack and get the necessary information that would allow the back box to act like the OnStar backoffice.
Another attack could be made by OwnStar by intercepting the backoffice call, get the vehicle information and use the hotspot to load your OnStar vehicle information onto the attackers mobile phone. Now the attacker's mobile app has the same vehicle information as the owner. Now the attacker can use his OnStar app to start your vehicle.
Regardless, the OwnStar black box must have a cellular radio not just a Wifi hotspot.
I believe that Kamkar is a smart guy, but I also believe that his attacks require some inside information which must hackers do not have. Inside information that is specific to the vehicle under attack.
I also believe that the Wired article picture of the OwnStar box shows 2 antennas. Maybe a cellular and Wifi radio antenna.
Another attack could be made by OwnStar by intercepting the backoffice call, get the vehicle information and use the hotspot to load your OnStar vehicle information onto the attackers mobile phone. Now the attacker's mobile app has the same vehicle information as the owner. Now the attacker can use his OnStar app to start your vehicle.
Regardless, the OwnStar black box must have a cellular radio not just a Wifi hotspot.
I believe that Kamkar is a smart guy, but I also believe that his attacks require some inside information which must hackers do not have. Inside information that is specific to the vehicle under attack.
I also believe that the Wired article picture of the OwnStar box shows 2 antennas. Maybe a cellular and Wifi radio antenna.
07-30-2015, 07:58 PM
#7
Race Director
Member Since: Feb 2014
Location: Center of the Universe, Alabama
Posts: 12,243
Received 95 Likes
on
41 Posts
I'd guess his "box" works like this:
He has to be close to you.
You use the OnStar app and lock/unlock/or any OnStar app function.
His box receives your call too and "clones" his phone app to your OnStar account.
He has to be close to you.
You use the OnStar app and lock/unlock/or any OnStar app function.
His box receives your call too and "clones" his phone app to your OnStar account.
07-30-2015, 08:48 PM
#8
I see no reason to make this OnStar situation an "issue".
I have had Onstar in a several GM vehicles over many years back from a Malibu, Cadillac CTS, Camaro and now my C7.
I did not renew the OnStar after the 6 month trial on my 2015 C7.
OnStar still has access to any vehicle equipped with OnStar.
I don't sweat the small stuff in life like OnStar, worrying if they are eaves dropping on me or my conversations. I could care less, as I don't do anything illegal anyway.
If someone wants to hack into my C7 and steal it out of the 3 miilion cars equipped with OnStar, they can have it. That's what I pay insurance for.
The responses here are over blowen, there are too many people psyched out over this. Everytime you log into a computer, or mobile device you have a situation where you may be vulnerable to cyber attack.
It happens daily with corporations, government agencies and these entities have some of the best cyber security systems in place.
While OnStar might be a controversial topic, I wouldn't lose any sleep over this situation.
In today's world of high tech devices, we as humans have very little privacy anymore.
Live life to the fullest, 'Life is Good", don't worry about OnStar.
I have had Onstar in a several GM vehicles over many years back from a Malibu, Cadillac CTS, Camaro and now my C7.
I did not renew the OnStar after the 6 month trial on my 2015 C7.
OnStar still has access to any vehicle equipped with OnStar.
I don't sweat the small stuff in life like OnStar, worrying if they are eaves dropping on me or my conversations. I could care less, as I don't do anything illegal anyway.
If someone wants to hack into my C7 and steal it out of the 3 miilion cars equipped with OnStar, they can have it. That's what I pay insurance for.
The responses here are over blowen, there are too many people psyched out over this. Everytime you log into a computer, or mobile device you have a situation where you may be vulnerable to cyber attack.
It happens daily with corporations, government agencies and these entities have some of the best cyber security systems in place.
While OnStar might be a controversial topic, I wouldn't lose any sleep over this situation.
In today's world of high tech devices, we as humans have very little privacy anymore.
Live life to the fullest, 'Life is Good", don't worry about OnStar.
07-30-2015, 10:18 PM
#9
Administrator
Member Since: Mar 2001
Location: In a parallel universe. Currently own 2014 Stingray Coupe.
Posts: 342,661
Received 19,208 Likes
on
13,924 Posts
C7 of the Year - Modified Finalist 2021
MO Events Coordinator
St. Jude Co-Organizer
St. Jude Donor '03-'04-'05-'06-'07-'08-'09-'10-'11-'12-'13-'14-'15-'16-'17-'18-'19-
'20-'21-'22-'23-'24
NCM Sinkhole Donor
CI 5, 8 & 11 Veteran
I'm not going to go all 
over this.
07-31-2015, 07:09 AM
#10
07-31-2015, 07:28 AM
#11
While I know a lot of people bash OnStar, I think it's a great system for safety and piece of mind and I have it in all my vehicles including my C7. My wife was in a serious car accident when another vehicle blew though a red light and t-boned her car. OnStar automatically got her help and called me, and I was able to be at the hospital before she arrived. As a volunteer fireman in a very busy dept that covers major highways in our area and are the ones who cut apart cars and perform extrications, time is critical in major traumas so getting help ASAP is very important and OnStar helps in that regard.
07-31-2015, 02:15 PM
#12
Le Mans Master
Member Since: Jan 2006
Location: Down south in Dixie
Posts: 6,801
Received 2,639 Likes
on
1,702 Posts
While I know a lot of people bash OnStar, I think it's a great system for safety and piece of mind and I have it in all my vehicles including my C7. My wife was in a serious car accident when another vehicle blew though a red light and t-boned her car. OnStar automatically got her help and called me, and I was able to be at the hospital before she arrived. As a volunteer fireman in a very busy dept that covers major highways in our area and are the ones who cut apart cars and perform extrications, time is critical in major traumas so getting help ASAP is very important and OnStar helps in that regard.
Randy. While my car doesn't go far from home normally, I always have OnStar activated for my long road trips. Preparing for a short Route 66 run in Sept. (North Carolina to St. Louis to Tucumcari, NM then back home), and will have it activated for just a month then. Peace of mind makes these trips more enjoyable when you know if help is needed with anything it's just a button push away.
07-31-2015, 02:40 PM
#13
Melting Slicks
I want to see someone remote start my M7!
07-31-2015, 06:34 PM
#14
Race Director
I don't want to over blow this but it is things like this that make me question autonomous cars. I mean, they can't keep our credit cards safe (or our Jeeps, it seems). Some jerkoff decides he's mad at the world (with computer skills) sits on an overpass and has his way with the car's computers.....
Jimmy
Jimmy
08-04-2015, 03:31 PM
#15
OnStar Meet OwnStar: The Hacking Device That Could Steal Your Corvette
OnStar Meet OwnStar: The Hacking Device That Could Steal Your Corvette
According to the following video, FCA products aren’t the only ones at risk of being hacked.
Read the rest on the CorvetteForum.com homepage. >>
According to the following video, FCA products aren’t the only ones at risk of being hacked.
Read the rest on the CorvetteForum.com homepage. >>
08-04-2015, 03:40 PM
#16
Drifting
That's why you unplug the antennae and transmitter from the onstar computer. Can't steal a car with no signal.
AND install Ravelco...can't steal a car without ignition and fuel pump working.
AND install Ravelco...can't steal a car without ignition and fuel pump working.
08-04-2015, 07:46 PM
#17
Instructor
I see no reason to make this OnStar situation an "issue".
I have had Onstar in a several GM vehicles over many years back from a Malibu, Cadillac CTS, Camaro and now my C7.
I did not renew the OnStar after the 6 month trial on my 2015 C7.
OnStar still has access to any vehicle equipped with OnStar.
I don't sweat the small stuff in life like OnStar, worrying if they are eaves dropping on me or my conversations. I could care less, as I don't do anything illegal anyway.
If someone wants to hack into my C7 and steal it out of the 3 miilion cars equipped with OnStar, they can have it. That's what I pay insurance for.
The responses here are over blowen, there are too many people psyched out over this. Everytime you log into a computer, or mobile device you have a situation where you may be vulnerable to cyber attack.
It happens daily with corporations, government agencies and these entities have some of the best cyber security systems in place.
While OnStar might be a controversial topic, I wouldn't lose any sleep over this situation.
In today's world of high tech devices, we as humans have very little privacy anymore.
Live life to the fullest, 'Life is Good", don't worry about OnStar.
I have had Onstar in a several GM vehicles over many years back from a Malibu, Cadillac CTS, Camaro and now my C7.
I did not renew the OnStar after the 6 month trial on my 2015 C7.
OnStar still has access to any vehicle equipped with OnStar.
I don't sweat the small stuff in life like OnStar, worrying if they are eaves dropping on me or my conversations. I could care less, as I don't do anything illegal anyway.
If someone wants to hack into my C7 and steal it out of the 3 miilion cars equipped with OnStar, they can have it. That's what I pay insurance for.
The responses here are over blowen, there are too many people psyched out over this. Everytime you log into a computer, or mobile device you have a situation where you may be vulnerable to cyber attack.
It happens daily with corporations, government agencies and these entities have some of the best cyber security systems in place.
While OnStar might be a controversial topic, I wouldn't lose any sleep over this situation.
In today's world of high tech devices, we as humans have very little privacy anymore.
Live life to the fullest, 'Life is Good", don't worry about OnStar.
08-04-2015, 11:43 PM
#18
I don't have the app installed for my m7 corvette but I do on my Equinox. Love it. In Michigan winters it's great to start the car and also lock it when in an airport terminal
If someone wanted to start my filthy leased Equinox while I'm on a business trip..... Have fun. I don't care. In 10 minutes it shuts off
Hacks of the system won't continue, gm will fix it and there is no $ incentive here for hackers to continue trying
If someone wanted to start my filthy leased Equinox while I'm on a business trip..... Have fun. I don't care. In 10 minutes it shuts off
Hacks of the system won't continue, gm will fix it and there is no $ incentive here for hackers to continue trying
08-05-2015, 12:02 AM
#19
Moderator
<p>I already received an email from OnStar notifying me that I must update the app. I believe they already fixed the problem.</p>
08-05-2015, 08:53 AM
#20
Team Owner
I see no reason to make this OnStar situation an "issue".
I have had Onstar in a several GM vehicles over many years back from a Malibu, Cadillac CTS, Camaro and now my C7.
I did not renew the OnStar after the 6 month trial on my 2015 C7.
OnStar still has access to any vehicle equipped with OnStar.
I don't sweat the small stuff in life like OnStar, worrying if they are eaves dropping on me or my conversations. I could care less, as I don't do anything illegal anyway.
If someone wants to hack into my C7 and steal it out of the 3 miilion cars equipped with OnStar, they can have it. That's what I pay insurance for.
The responses here are over blowen, there are too many people psyched out over this. Everytime you log into a computer, or mobile device you have a situation where you may be vulnerable to cyber attack.
It happens daily with corporations, government agencies and these entities have some of the best cyber security systems in place.
While OnStar might be a controversial topic, I wouldn't lose any sleep over this situation.
In today's world of high tech devices, we as humans have very little privacy anymore.
Live life to the fullest, 'Life is Good", don't worry about OnStar.
I have had Onstar in a several GM vehicles over many years back from a Malibu, Cadillac CTS, Camaro and now my C7.
I did not renew the OnStar after the 6 month trial on my 2015 C7.
OnStar still has access to any vehicle equipped with OnStar.
I don't sweat the small stuff in life like OnStar, worrying if they are eaves dropping on me or my conversations. I could care less, as I don't do anything illegal anyway.
If someone wants to hack into my C7 and steal it out of the 3 miilion cars equipped with OnStar, they can have it. That's what I pay insurance for.
The responses here are over blowen, there are too many people psyched out over this. Everytime you log into a computer, or mobile device you have a situation where you may be vulnerable to cyber attack.
It happens daily with corporations, government agencies and these entities have some of the best cyber security systems in place.
While OnStar might be a controversial topic, I wouldn't lose any sleep over this situation.
In today's world of high tech devices, we as humans have very little privacy anymore.
Live life to the fullest, 'Life is Good", don't worry about OnStar.
