New Onstar hack can unlock cars and start engines

Jul 30, 2015, 2:18 PM UTC

There's a new way to break into connected cars. In a report in Wired today, researcher Samy Kamkar revealed a homemade device he calls OwnStar. It's a small box about the size of a router, built to break into GM's OnStar system through a rogue Wi-Fi hotspot. When used successfully, the box let him do anything OnStar can do, including locate a vehicle remotely, unlock doors, or even start the engine. (Notably, OnStar doesn't allow for remote access to a car's steering, transmission, or brakes, cutting off the most frightening attacks.) Kamkar reported the vulnerability to General Motors prior to publication, and the company says it has already updated its system to protect against the attack, but the vulnerability stands as an illustration of how attackers might target connected car systems. The full details of the attack will be revealed in a presentation at DefCon next week.

To work properly, the OwnStar box has to be attached to the body of the car, close enough to intercept communications from the driver's phone. From there, the box masquerades as the car's own system and communicates with the OnStar app to harvest the driver's credentials. An attacker can then use those credentials to effectively mimic the app, giving orders to the car through the OnStar system. Available as a subscription service, OnStar has 7 million subscribers in the US and China, and passed its billionth customer interaction earlier this year.

The hack was possible because the OnStar app doesn't check for phony encryption certificates, allowing Kamkar's device to forge its own credentials to impersonate the car's onboard system. If you tried the same trick in Chrome, you'd get the red warning screen, but because OnStar isn't checking the certificate, Kamkar's device is able to skate through unnoticed. The good news for GM is that the vulnerability could be fixed by simply updating the Onstar system, instituting tougher certificat controls. That means that unlike the Chrysler hack announced last week, this bug can be patched easily through a server-side update, making it significantly less dangerous.

7/30 11:45AM: Updated with news of General Motors' update to protect against the attack.

New Onstar hack can unlock cars and start engines

New Onstar hack can unlock cars and start engines

Tesla’s in its flop era

Apple announces May 7th event for new iPads

Anker’s 8-in-1 charging station is matching its lowest price to date

An Xbox VR headset is on the way, but it’s a ‘limited edition’ Meta Quest

Why is Windows 11 so annoying?

More from Transpo

Scout Motors wants to put the ‘mechanical’ back into electric trucks

Lucid slashes prices for its luxury EVs for the third time in seven months

GM is preparing for another major expansion of its hands-free Super Cruise system

Tesla’s latest update takes aim at cold weather woes

New Onstar hack can unlock cars and start engines

New Onstar hack can unlock cars and start engines

Share this story

Tesla’s in its flop era

Apple announces May 7th event for new iPads

Anker’s 8-in-1 charging station is matching its lowest price to date

An Xbox VR headset is on the way, but it’s a ‘limited edition’ Meta Quest

Why is Windows 11 so annoying?

More from Transpo

Scout Motors wants to put the ‘mechanical’ back into electric trucks

Lucid slashes prices for its luxury EVs for the third time in seven months

GM is preparing for another major expansion of its hands-free Super Cruise system

Tesla’s latest update takes aim at cold weather woes