By on July 30, 2015

cq5dam.web.1280.1280-3

Not content with scaring the bejesus out of Chrysler owners, Wired has uncovered a hacker who says he can open a GM car with OnStar, start it or track it remotely. The only thing he can’t do is put the car in gear or steer it, which still requires a key.

Hacker Samy Kamkar says his $100 device can seriously annoy — or seriously rob — a GM car owner if he wanted it to. GM promptly responded by saying it fixed the flaw in a way that owners won’t have update their cars.

Kamkar said his exploit wasn’t mean to cause mayhem, but rather to show how modern, technological cars can be vulnerable to hackers.

Kamkar’s hack wasn’t as simple as the St. Louis duo’s Uconnect exploit that prompted a recall earlier this month.

A WiFi-enabled box would be attached to the target vehicle and emulate a well-known network, such as a popular coffee shop hotspot. Assuming the user logged onto the phony network and launched the GM RemoteLink app, Kamkar’s hack could retrieve the car’s data, including position. Kamkar could unlock the doors — or start the car.

“As soon as you’re on my network and you open the app, I’ve taken over,” Kamkar told Wired.

Kamkar said he’s only tried the hack on his friend’s 2013 Chevrolet Volt, but he’s confident the system would work on any OnStar-enabled car.

GM said it became aware of the hack a few days ago and patched the issue within hours of the story’s publish earlier today.

Surprisingly, this photo is provided by the manufacturer.

Get the latest TTAC e-Newsletter!

Recommended

19 Comments on “OnStar Hack Can Open Doors, Start Car, Track Driver...”


  • avatar

    I love my tech packages but not if they take away control/security/privacy from my vehicles.

  • avatar
    carguy

    It would help if the automakers would actually focus on fixing the security problems instead of intimidating security researchers that are uncovering their mistakes.

  • avatar
    Superdessucke

    “The only thing he can’t do is put the car in gear or steer it, which still requires a key.”

    For now…

  • avatar
    APaGttH

    …Surprisingly, this photo is provided by the manufacturer…

    Heh

  • avatar
    GMat

    Look like the skinny jumping Asian kid from the Cadillac commercial “Daring: No Regrets” Now in wolf’s clothing

  • avatar
    Ryoku75

    Strange how cars are so complex in their styling, but yet they use fairly simple programming security (if any).

    • 0 avatar
      JimC2

      “…yet they use fairly simple programming security (if any).”

      Reminds me of the heady days in the 1990s when the internet really started taking off. Sendmail was great for easily sending spoof emails. You could set the packet size on ping so high that it could shutdown a cheap network card and effectively log someone off. You could pipe all manner of things to someone’s /dev/tty right when they were least expecting it… R-rated ASCII art, random carriage returns (13), and bells (7). It got really crazy when color terminals got more common, hooboy, don’t know how we all survived!

    • 0 avatar
      stuki

      For the same reason contemporary McMansions have all manners of cheesy ornamentation, and even alarm systems, yet the windows and doors (and even walls) are easily kicked down by any old thug.

      But, theiiiiii’re baaaad. Sooomeone should dooooo soomething……..

  • avatar
    Volt 230

    The electrification of the modern automobile, how is that working out for you folks? Each passing day I love my 98 Corolla more and more!

    • 0 avatar
      mcs

      >> Each passing day I love my 98 Corolla more and more!

      This hack required planting a device on the car. It’s just a little more work to add a linear positioner to control a throttle on an older car and wiring into the abs (steering the car by applying one brake) if you have it.

  • avatar
    Volt 230

    What you are referring to is mechanical sabotage, yeah, someone can cut my brake lines or put water in the master cylinder, or sugar in my tank, this is different, the systems in new cars are ripe for this kind o electronic hacking

    • 0 avatar
      mcs

      The hack in the story required physically attaching a device to the vehicle. It wasn’t some hacker over the internet.

      So you have to attach one device for a Volt, but with the addition of a couple of more parts you get the same control over an older car.

    • 0 avatar
      Exfordtech

      Sugar actually won’t dissolve in gasoline. If enough is in the tank it can clog the pump screen, the fuel filter if any gets by the screen, and possibly the injectors if any makes it that far. Much better revenge is (according to a local bookie who knew a guy that did collecting) a Snickers bar, apparently the caramel will make it’s way to the engine. Don’t know if it’s true, my guess is it simply clogs the pump screen. Leg breaking was discouraged, as it leaves the debtor unable to make payments, but a follow up phone call with a question of “how’s ya car runnin’, pay me” was much more effective.

  • avatar
    Greg Locock

    “Assuming the user logged onto the phony network”

    If you go around logging into phony networks then people switching your car on and off remotely is the least of your worries.

    The Truth About ClickBait.

  • avatar
    dwford

    It’s interesting that I’ve noticed changes to the functionality of my Intellilink system, but not acknowledgment that GM does over the air updates…

  • avatar
    shaker

    I used Remote Link for the 3-month trial period on my ’13 Malibu, and it was cool to be able to remote start my car using my cellphone.

    Using it that way, it is like a cell-phone call; it can’t be intercepted/spoofed locally, so this hack couldn’t work.

    I didn’t know that Remote Link could be used locally over Wi-Fi (cheapskate owners don’t want cell charges?) – of course it could be hacked/intercepted, like a garage door opener – and it would have limited range/usefulness.

    Seems like yet ANOTHER case against Wi-Fi in cars.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • EGSE: Oh, it’s still doing it; I’m using a laptop on a 32″ monitor, not a phone. I occasionally get...
  • EX35: How about focusing on making cars that do not completely fall apart by 40k miles, as C&D found out. Even...
  • IBx1: Anything that ruins the comment section will ruin the entire website. Car and Driver, Road & Track,...
  • Crosley: I would think Apple would be upset at it as well, curious if there was pushback on their end, especially...
  • SCE to AUX: “C&D notes only 4 percent of G70 2.0T buyers have thus far sprung for a three-pedal...

New Car Research

Get a Free Dealer Quote

Staff

  • Contributors

  • Timothy Cain, Canada
  • Matthew Guy, Canada
  • Ronnie Schreiber, United States
  • Bozi Tatarevic, United States
  • Chris Tonn, United States
  • Corey Lewis, United States
  • Mark Baruth, United States