A security researcher has followed up on a promise made days ago by posting a video demonstrating how he can locate, unlock and start any GM vehicle through his phone. The video, posted on YouTube, is the latest security breach publicly showcased that involves millions of vehicles being driven on America’s roads. Rival Detroit carmaker Chrysler is now facing a class action lawsuit over a similar vulnerability disclosed two weeks ago.
Samy Kamkar, a self proclaimed hacker and whistleblower, posted a video on YouTube on Wednesday that shows him hacking into a GM vehicle using a unique device he calls Ownstar.
According to Kamkar, his device intercepts wireless communications between the Onstar cloud service and GM’s OnStar RemoteLink mobile application. Through intercepting these signals, Kamkar states that he was able to remotely track the GM vehicle, unlock it and start it.
OnStar is a subscription based, vehicle service that conveniently provides vehicle security, turn-by-turn navigation, hands free calling and remote diagnostics.
RemoteLink on the other hand, forms part of OnStar’s mobile application that allows GM vehicle users to unlock and start their cars from anywhere. The application can also turn the vehicle’s lights on, blow the horn and manage the vehicle’s WiFi hotspot.
However, as Kamkar has proven, the system has glaring security gaps. Kamkar’s video revelation is just the latest in what has been a persistent round of vehicle systems hacking by cyber security researchers. Hackers recently hacked into a Fiat Chrysler’s internal operating system due to a hole in its UConnect Infotainment system. Through the UConnect gap, the hackers were able to control vehicle functions that included acceleration, braking and igniting.
Fiat Chrysler has since recalled 1.4 million vehicles after the malignant system failure and found itself on the receiving end of a lawsuit just this morning.
The good news is that GM’s OnStar is only susceptible to hacking at close range, unlike Fiat Chrysler’s which could be done remotely. Kamkar said that should a user turn on his Onstar RemoteLink next to him, he would launch his OwnStar device and intercept the signals, allowing him to take control of the vehicle.
Kamkar added, "Fortunately, the issue lies in the mobile software and is not a problem with the vehicles themselves. GM and OnStar have so far been receptive to me and are already working quickly on a resolution to protect consumers."
In a statement, GM said it was looking into the matter and that it takes issues of user safety “very seriously.”
Kamkar said he was in talks with GM to improve the vehicles’ security and that he would be revealing further details on the OwnStar device at the oncoming Def Con Hacking conference.
Vehicle security has come under close scrutiny lately after consistent hacks have been performed on vehicles. With the growing technological advances, further care is needed to safeguard vehicle users in the U.S. and raises important safety questions as millions of household devices become connected to the broader internet.