It seems cars are becoming the big new thing for security researchers. Last week there was a huge story about a vulnerability in the Fiat Chrysler Uconnect technology that resulted in the recall of 1.4 million vehicles and now security expert Samy Kamkar discloses a vulnerability in the OnStar communications system from GM. OnStar links your vehicle to your smartphone and offers features like turn-by-turn navigation, hands free calling, remote diagnostics, stolen vehicle tracking, ignition blocks in case of theft, automatic crash response, remote unlocking, etc.
The hacking tool is based on a Raspberry Pi computer and it costs under $100 to assemble. Called the "Ownstar", the kit is able to locate, unlock and remote start any GM vehicle with OnStar RemoteLink. All that is needed is the planting of a cheap, homemade WiFi hotspot device somewhere on the car's body. Once that's done, hackers can intercept communication between the RemoteLink mobile app and the OnStar servers via a man-in-the-middle attack and connect to the car over a 2G cellular connection.
When the driver comes within Wi-Fi range of Kamkar’s $100 contraption, which he’s named “OwnStar” in a reference for the hacker jargon to “own” or control a system, it impersonates a familiar Wi-Fi network to trick the user’s phone into silently connecting. (Modern smartphones constantly probe for known networks, so the trade-paperback-sized box, packed with three radios and a Raspberry Pi computer, can listen for and then impersonate a friendly network, or by default call itself “attwifi” to appear as a common Starbucks connection.) If the user launches their GM RemoteLink Android or iOS app while their phone’s within Wi-fi range and unwittingly connected, OwnStar is designed to exploit a vulnerability in GM’s app to steal the user’s credentials and send that data over a 2G cellular connection to the hacker. “As soon as you’re on my network and you open the app, I’ve taken over,” Kamkar says.