It only took a few days and $100 for Sammy Kamkar to create a device that can take over any GM vehicle that has the OnStar system.
The 29-year-old software developer will reveal full details of his hack next week at the hacking conference DefCon in Las Vegas, but he told Tech Insider in an interview Thursday that figuring out a way to attack the car wasn't actually that difficult.
OnStar is a system built into many GM cars that lets owners do things like remotely unlock or start their cars from and app or a phone service.
Kamkar bought a GM vehicle for his mom earlier this year and shortly thereafter began to tinker with it, looking for vulnerabilities. It only took him a few days to find a flaw and create a potentially dangerous gadget to exploit it.
The device is composed of only a few key components, including a $40 Rasberry Pie computer and three radios. Kamkar said he had these devices lying around his house from previous projects, but said these components can easily be purchased online.
Kamkar cleverly calls his hacking weapon the OwnStar system and said that it can be used to locate, unlock, and start a vehicle. A user simply has to attach the device somewhere on the targeted car and then whenever the owner opens the OnStar mobile app within WiFi range of the vehicle, the OwnStar gadget placed on the car then relays all kinds of valuable information to the hacker.
“My device not only intercepts all of the information necessary for me to log into that car, but it also sends it to me wirelessly. So then at that point I can then locate the car and see where the car is at any time and then go later and unlock it at my convenience,” Kamkar told Tech Insider.
GM told Tech Insider in a statement that they have fixed the vulnerability that enables the OwnStar device to work, but Kamkar said he is still able to perform the breach.
In another statement later Thursday, GM said it will need to update RemoteLink, the smartphone app that lets GM owners control their cars through OnStar.
Here's the latest statement from GM:
GM takes matters that affect our customers’ safety and security very seriously. GM product cybersecurity representatives have reviewed the potential vulnerability recently identified.
In working with the researcher, we moved quickly to secure our back-office system and reduce risk. However, further action is necessary on the RemoteLink app itself. We take all cyber matters seriously and an enhanced RemoteLink app will also be made available in app stores soon to fully mitigate the risk.
The GM OnStar security flaw is just the latest example of how connected cars are vulnerable to hackers.
“While this attack is specific to GM and Onstar, in no way do I believe they are singled out. I believe these kinds of issues are probably prevalent in most connected devices. And most connected cars,” Kamkar said. “Maybe not this exact issue, but definitely similar issues.”
Last week, hackers Charlie Miller and Chris Valasek revealed they had found a security flaw in Chrysler’s Jeep that enabled them to wirelessly take over the vehicle from a remote location by just using their computer. The vulnerability they discovered enabled them to take over functions like brakes, steering wheel and accelerator.
While these types of car breaches have attracted a lot of from the media and lawmakers, the attacks were carried out in controlled environments by white hat hackers, or hackers who help discover security flaws so companies can fix them. But as more cars become connected, Karmak said we can expect to see more malicious hackers begin to target vehicles and car manufacturers aren’t doing enough to ensure security, at least not yet.
“Before the attack surface was much smaller. The only people who could communicate with your car typically had to have physical access, like someone who was inside your car,” Karmak said. “This is new territory for car manufacturers, I believe. So I think that is why they are not investing as much as they should in security.”
In the meantime, if consumers are really worried about their connected car getting attacked by a hacker, they can always disable their connected features, Karmak said. But until vulnerabilities are discovered and patches are released, there’s not much more consumers can do, he said.
