By on July 30, 2015


Not content with scaring the bejesus out of Chrysler owners, Wired has uncovered a hacker who says he can open a GM car with OnStar, start it or track it remotely. The only thing he can’t do is put the car in gear or steer it, which still requires a key.

Hacker Samy Kamkar says his $100 device can seriously annoy — or seriously rob — a GM car owner if he wanted it to. GM promptly responded by saying it fixed the flaw in a way that owners won’t have update their cars.

Kamkar said his exploit wasn’t mean to cause mayhem, but rather to show how modern, technological cars can be vulnerable to hackers.

Kamkar’s hack wasn’t as simple as the St. Louis duo’s Uconnect exploit that prompted a recall earlier this month.

A WiFi-enabled box would be attached to the target vehicle and emulate a well-known network, such as a popular coffee shop hotspot. Assuming the user logged onto the phony network and launched the GM RemoteLink app, Kamkar’s hack could retrieve the car’s data, including position. Kamkar could unlock the doors — or start the car.

“As soon as you’re on my network and you open the app, I’ve taken over,” Kamkar told Wired.

Kamkar said he’s only tried the hack on his friend’s 2013 Chevrolet Volt, but he’s confident the system would work on any OnStar-enabled car.

GM said it became aware of the hack a few days ago and patched the issue within hours of the story’s publish earlier today.

Surprisingly, this photo is provided by the manufacturer.

Get the latest TTAC e-Newsletter!

19 Comments on “OnStar Hack Can Open Doors, Start Car, Track Driver...”

  • avatar

    I love my tech packages but not if they take away control/security/privacy from my vehicles.

  • avatar

    It would help if the automakers would actually focus on fixing the security problems instead of intimidating security researchers that are uncovering their mistakes.

  • avatar

    “The only thing he can’t do is put the car in gear or steer it, which still requires a key.”

    For now…

  • avatar

    …Surprisingly, this photo is provided by the manufacturer…


  • avatar

    Look like the skinny jumping Asian kid from the Cadillac commercial “Daring: No Regrets” Now in wolf’s clothing

  • avatar

    Strange how cars are so complex in their styling, but yet they use fairly simple programming security (if any).

    • 0 avatar

      “…yet they use fairly simple programming security (if any).”

      Reminds me of the heady days in the 1990s when the internet really started taking off. Sendmail was great for easily sending spoof emails. You could set the packet size on ping so high that it could shutdown a cheap network card and effectively log someone off. You could pipe all manner of things to someone’s /dev/tty right when they were least expecting it… R-rated ASCII art, random carriage returns (13), and bells (7). It got really crazy when color terminals got more common, hooboy, don’t know how we all survived!

    • 0 avatar

      For the same reason contemporary McMansions have all manners of cheesy ornamentation, and even alarm systems, yet the windows and doors (and even walls) are easily kicked down by any old thug.

      But, theiiiiii’re baaaad. Sooomeone should dooooo soomething……..

  • avatar
    Volt 230

    The electrification of the modern automobile, how is that working out for you folks? Each passing day I love my 98 Corolla more and more!

    • 0 avatar

      >> Each passing day I love my 98 Corolla more and more!

      This hack required planting a device on the car. It’s just a little more work to add a linear positioner to control a throttle on an older car and wiring into the abs (steering the car by applying one brake) if you have it.

  • avatar
    Volt 230

    What you are referring to is mechanical sabotage, yeah, someone can cut my brake lines or put water in the master cylinder, or sugar in my tank, this is different, the systems in new cars are ripe for this kind o electronic hacking

    • 0 avatar

      The hack in the story required physically attaching a device to the vehicle. It wasn’t some hacker over the internet.

      So you have to attach one device for a Volt, but with the addition of a couple of more parts you get the same control over an older car.

    • 0 avatar

      Sugar actually won’t dissolve in gasoline. If enough is in the tank it can clog the pump screen, the fuel filter if any gets by the screen, and possibly the injectors if any makes it that far. Much better revenge is (according to a local bookie who knew a guy that did collecting) a Snickers bar, apparently the caramel will make it’s way to the engine. Don’t know if it’s true, my guess is it simply clogs the pump screen. Leg breaking was discouraged, as it leaves the debtor unable to make payments, but a follow up phone call with a question of “how’s ya car runnin’, pay me” was much more effective.

  • avatar
    Greg Locock

    “Assuming the user logged onto the phony network”

    If you go around logging into phony networks then people switching your car on and off remotely is the least of your worries.

    The Truth About ClickBait.

  • avatar

    It’s interesting that I’ve noticed changes to the functionality of my Intellilink system, but not acknowledgment that GM does over the air updates…

  • avatar

    I used Remote Link for the 3-month trial period on my ’13 Malibu, and it was cool to be able to remote start my car using my cellphone.

    Using it that way, it is like a cell-phone call; it can’t be intercepted/spoofed locally, so this hack couldn’t work.

    I didn’t know that Remote Link could be used locally over Wi-Fi (cheapskate owners don’t want cell charges?) – of course it could be hacked/intercepted, like a garage door opener – and it would have limited range/usefulness.

    Seems like yet ANOTHER case against Wi-Fi in cars.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • Jeff S: @Dave M–I almost didn’t order a Maverick because of the smaller bed but the hybrid power train...
  • Jeff S: @Lou_BC–Agree those of us who really have a passion for cars, trucks, motorcycles, or any powered...
  • Jeff S: @Lou_BC–I don’t know if you have Carvana but I would check Carvana as well. I sold my 2012 Buick...
  • EBFlex: “ In any case 5% is only half of 10%, not a big next step to achieve, then push a little more to 25%, then...
  • EBFlex: If liberals keep running this country into the ground that will absolutely happen. They create crisis so they...

New Car Research

Get a Free Dealer Quote

Who We Are

  • Adam Tonge
  • Bozi Tatarevic
  • Corey Lewis
  • Jo Borras
  • Mark Baruth
  • Ronnie Schreiber