GM issues fix for OnStar hack

Just last week Chrysler recalled 1.4 million vehicles after hackers revealed a software bug. Now, a new hack exposes a vulnerability in GM vehicles equipped with OnStar. Users of the iOS RemoteLink app are encouraged to update ASAP.

Tim Stevens Former editor at large for CNET Cars
Tim Stevens got his start writing professionally while still in school in the mid '90s, and since then has covered topics ranging from business process management to video game development to automotive technology.
Tim Stevens
3 min read

OnStar's RemoteLink proves vulnerable. Tim Stevens/CNET

Just this morning, security researcher Samy Kamkar posted a YouTube video of a device called OwnStar, which he claimed enabled him to monitor and intercept communications between General Motors' OnStar RemoteLink app and any OnStar-equipped car.

The bad news is that the hack is legitimate. GM worked to quickly issue a fix, but Kamkar discovered that fix was incomplete, a fact GM has confirmed. Now, an app update for the iOS platform has been released that fixes the issue.

With the OwnStar device, Kamkar was able to issue commands through OnStar's RemoteLink app -- which lets drivers control some features of their cars like locking doors and turning on lights with a mobile device -- to any of GM's compatible cars. OnStar, an in-vehicle system that provides security services, hands free calling, turn-by-turn navigation and more, is available in more than 30 GM vehicles. Kamkar was able to act as if he owned the car in the video, finding its the exact location, unlocking the doors and even starting the engine.

In the wake of the Chrysler hacks last week, this is yet another reminder that the road to fully connected cars is proving to be a bumpy one. Automakers and other tech firms are racing to outfit cars with more technology, especially ones that connect them via the Internet. Cars are no longer standalone devices; they are part of the Internet of Things, the concept of using sensors and other tech to connect everyday items to the Web. That can leave your car as vulnerable as your computer or smartphone to hacks, but with greater consequences.

The hack is not quite as bad as it sounds. Kamkar couldn't drive off in the car without the key, and cars that have been started remotely automatically shut off in 10 minutes if they haven't been driven away. That said, the idea that any stranger could be tracing your car's location and unlocking its doors is very disconcerting to say the least.

The hardware used for the OwnStar device appears to be a mixture of an extremely simple computer called a Raspberry Pi and some wireless adapters, all tucked into a small protective case. Kamkar has not fully detailed the nature of the OwnStar hack, waiting to spill all the beans at the annual Defcon hacker conference in Las Vegas, Nevada.

Update, 10:31 a.m. PT: Security researcher Samy Kamkar says that GM's original fix to the OnStar system was not successful. We'll continue updating here with more information as we get it, but you can also follow Samy on Twitter to get the latest.

Update, 4:56 p.m. PT: GM said an app update will be required, issuing the following statement:

GM takes matters that affect our customers' safety and security very seriously. GM product cybersecurity representatives have reviewed the potential vulnerability recently identified. In working with the researcher, we moved quickly to secure our back-office system and reduce risk. However, further action is necessary on the RemoteLink app itself. We take all cyber matters seriously and an enhanced RemoteLink app will also be made available in app stores soon to fully mitigate the risk.

Update, 12:07 p.m. PT 7/31/2015: GM has issued an update to its iOS app, the only vulnerable platform remaining. It is recommended that all users update their RemoteLink apps as soon as possible.