GM says OnStar app flaw fixed, researcher says still exploitable

GM's OnStar RemoteLink mobile application contains a vulnerability that can enable an attacker to identify, start a vehicle and more.
GM's OnStar RemoteLink mobile application contains a vulnerability that can enable an attacker to identify, start a vehicle and more.

A security researcher was able to exploit a vulnerability he discovered in GM's OnStar RemoteLink mobile application that lets an attacker identify, locate, unlock and start an OnStar-enabled vehicle.

Samy Kamkar revealed his discovery and demonstrated how a device he built, dubbed OwnStar, can exploit the bug and intercepts requests from a user's mobile app and the OnStar service in a YouTube video Thursday. The device sends special packets to the OnStar network to obtain the vehicle's credentials and gain unauthorised access.

The flaw is located in the app software for RemoteLink, which allows users to access and control certain features and diagnostic information in OnStar-enabled vehicles from their mobile devices. As long as the device is within Wi-Fi range of a user who has the application open, it will automatically gather the information and send a text message to notify that it has gained access.

Kamkar said he reported his findings to GM last week and on Thursday the automaker told Wired that the flaw was fixed. But Kamkar confirmed to SCMagazine.com that as of that same afternoon he could still successfully exploit the vulnerability.

Kamkar added that these types of problems aren't unique to GM. Last week researchers disclosed a vulnerability in the UConnect software used in Fiat Chrysler vehicles that, if successfully exploited, could allow attackers to remotely control an affected vehicle. The disclosure resulted in the recall of about 1.4 million vehicles.

“In general, I think anyone building connected devices should be more careful,” Kamkar said. “Most connected devices we have will be vulnerable and larger companies need to pay more attention to security.”

Kamkar recommended that users not open the RemoteLink app until the flaw had been successfully patched. The researcher will give a presentation on the exploit and his device, as well as other vulnerabilities he found, at the DEF CON 2015 conference in Las Vegas in August.