OnStar Hack Can Open Doors, Start Car, Track Driver

Not content with scaring the bejesus out of Chrysler owners, Wired has uncovered a hacker who says he can open a GM car with OnStar, start it or track it remotely. The only thing he can’t do is put the car in gear or steer it, which still requires a key.
Hacker Samy Kamkar says his $100 device can seriously annoy — or seriously rob — a GM car owner if he wanted it to. GM promptly responded by saying it fixed the flaw in a way that owners won’t have update their cars.
Kamkar said his exploit wasn’t mean to cause mayhem, but rather to show how modern, technological cars can be vulnerable to hackers.
Kamkar’s hack wasn’t as simple as the St. Louis duo’s Uconnect exploit that prompted a recall earlier this month.
A WiFi-enabled box would be attached to the target vehicle and emulate a well-known network, such as a popular coffee shop hotspot. Assuming the user logged onto the phony network and launched the GM RemoteLink app, Kamkar’s hack could retrieve the car’s data, including position. Kamkar could unlock the doors — or start the car.
“As soon as you’re on my network and you open the app, I’ve taken over,” Kamkar told Wired.
Kamkar said he’s only tried the hack on his friend’s 2013 Chevrolet Volt, but he’s confident the system would work on any OnStar-enabled car.
GM said it became aware of the hack a few days ago and patched the issue within hours of the story’s publish earlier today.
Surprisingly, this photo is provided by the manufacturer.
Comments
Join the conversation
What you are referring to is mechanical sabotage, yeah, someone can cut my brake lines or put water in the master cylinder, or sugar in my tank, this is different, the systems in new cars are ripe for this kind o electronic hacking
"Assuming the user logged onto the phony network" If you go around logging into phony networks then people switching your car on and off remotely is the least of your worries. The Truth About ClickBait.
It's interesting that I've noticed changes to the functionality of my Intellilink system, but not acknowledgment that GM does over the air updates...
I used Remote Link for the 3-month trial period on my '13 Malibu, and it was cool to be able to remote start my car using my cellphone. Using it that way, it is like a cell-phone call; it can't be intercepted/spoofed locally, so this hack couldn't work. I didn't know that Remote Link could be used locally over Wi-Fi (cheapskate owners don't want cell charges?) - of course it could be hacked/intercepted, like a garage door opener - and it would have limited range/usefulness. Seems like yet ANOTHER case against Wi-Fi in cars.