Not content with scaring the bejesus out of Chrysler owners, Wired has uncovered a hacker who says he can open a GM car with OnStar, start it or track it remotely. The only thing he can’t do is put the car in gear or steer it, which still requires a key.
Hacker Samy Kamkar says his $100 device can seriously annoy — or seriously rob — a GM car owner if he wanted it to. GM promptly responded by saying it fixed the flaw in a way that owners won’t have update their cars.
Kamkar said his exploit wasn’t mean to cause mayhem, but rather to show how modern, technological cars can be vulnerable to hackers.
Kamkar’s hack wasn’t as simple as the St. Louis duo’s Uconnect exploit that prompted a recall earlier this month.
A WiFi-enabled box would be attached to the target vehicle and emulate a well-known network, such as a popular coffee shop hotspot. Assuming the user logged onto the phony network and launched the GM RemoteLink app, Kamkar’s hack could retrieve the car’s data, including position. Kamkar could unlock the doors — or start the car.
“As soon as you’re on my network and you open the app, I’ve taken over,” Kamkar told Wired.
Kamkar said he’s only tried the hack on his friend’s 2013 Chevrolet Volt, but he’s confident the system would work on any OnStar-enabled car.
GM said it became aware of the hack a few days ago and patched the issue within hours of the story’s publish earlier today.
Surprisingly, this photo is provided by the manufacturer.
I love my tech packages but not if they take away control/security/privacy from my vehicles.
Then you are apparently contradicting yourself.
It would help if the automakers would actually focus on fixing the security problems instead of intimidating security researchers that are uncovering their mistakes.
“The only thing he can’t do is put the car in gear or steer it, which still requires a key.”
For now…
…Surprisingly, this photo is provided by the manufacturer…
Heh
Clap for the wolfman, you’re gonna dig him ’til the day you die.
Look like the skinny jumping Asian kid from the Cadillac commercial “Daring: No Regrets” Now in wolf’s clothing
Strange how cars are so complex in their styling, but yet they use fairly simple programming security (if any).
“…yet they use fairly simple programming security (if any).”
Reminds me of the heady days in the 1990s when the internet really started taking off. Sendmail was great for easily sending spoof emails. You could set the packet size on ping so high that it could shutdown a cheap network card and effectively log someone off. You could pipe all manner of things to someone’s /dev/tty right when they were least expecting it… R-rated ASCII art, random carriage returns (13), and bells (7). It got really crazy when color terminals got more common, hooboy, don’t know how we all survived!
For the same reason contemporary McMansions have all manners of cheesy ornamentation, and even alarm systems, yet the windows and doors (and even walls) are easily kicked down by any old thug.
But, theiiiiii’re baaaad. Sooomeone should dooooo soomething……..
The electrification of the modern automobile, how is that working out for you folks? Each passing day I love my 98 Corolla more and more!
>> Each passing day I love my 98 Corolla more and more!
This hack required planting a device on the car. It’s just a little more work to add a linear positioner to control a throttle on an older car and wiring into the abs (steering the car by applying one brake) if you have it.
What you are referring to is mechanical sabotage, yeah, someone can cut my brake lines or put water in the master cylinder, or sugar in my tank, this is different, the systems in new cars are ripe for this kind o electronic hacking
The hack in the story required physically attaching a device to the vehicle. It wasn’t some hacker over the internet.
So you have to attach one device for a Volt, but with the addition of a couple of more parts you get the same control over an older car.
Sugar actually won’t dissolve in gasoline. If enough is in the tank it can clog the pump screen, the fuel filter if any gets by the screen, and possibly the injectors if any makes it that far. Much better revenge is (according to a local bookie who knew a guy that did collecting) a Snickers bar, apparently the caramel will make it’s way to the engine. Don’t know if it’s true, my guess is it simply clogs the pump screen. Leg breaking was discouraged, as it leaves the debtor unable to make payments, but a follow up phone call with a question of “how’s ya car runnin’, pay me” was much more effective.
“Assuming the user logged onto the phony network”
If you go around logging into phony networks then people switching your car on and off remotely is the least of your worries.
The Truth About ClickBait.
Many phones will remember SSIDs. If you use any open networks like starbucks the.you are open to spoofing with no action needed on your part.
It’s interesting that I’ve noticed changes to the functionality of my Intellilink system, but not acknowledgment that GM does over the air updates…
I used Remote Link for the 3-month trial period on my ’13 Malibu, and it was cool to be able to remote start my car using my cellphone.
Using it that way, it is like a cell-phone call; it can’t be intercepted/spoofed locally, so this hack couldn’t work.
I didn’t know that Remote Link could be used locally over Wi-Fi (cheapskate owners don’t want cell charges?) – of course it could be hacked/intercepted, like a garage door opener – and it would have limited range/usefulness.
Seems like yet ANOTHER case against Wi-Fi in cars.