One car hack down, an entire industry of potentially vulnerable vehicles to go.
On Friday afternoon, GM OnStar announced a software update to its RemoteLink app for iPhone to patch a security vulnerability that could have been used from across the internet to track GM vehicles, unlock their doors, start their ignitions, and even access the car owner's email and address. Responding to WIRED's story Thursday about the vulnerability revealed by security researcher Samy Kamkar, GM had said it fixed the flaw through a change to its server software. But after Kamkar pointed out that the attack wasn't blocked in his subsequent tests, the company has now also created a patch for its iOS app and says iPhone and iPad users should follow up by updating their RemoteLink app to fully protect their vehicles.
"Based on our initial conversations with Samy, we made changes that did not require user interaction. In our continued testing and conversations with him yesterday, we confirmed that [fix sufficed] for Android, Windows and Blackberry users but not for Apple iOS users," wrote GM spokesperson Renee Rashid-Merem in a statement to WIRED. "GM takes matters that affect our customers’ safety and security very seriously... An update is now available via Apple’s App Store. Impacted customers will receive a communication from OnStar today and the previous version of the app will be decommissioned following that communication to ensure customer security."
Kamkar had proven the existence of that OnStar vulnerability with a proof-of-concept device he plans to detail at the hacker conference DefCon next week. The book-sized gadget he developed, which he calls "OwnStar" in a reference to the hacker term to "own" or gain control of a target computer, is designed to be hidden under the chassis or bumper of a GM vehicle the attacker is targeting. When the car's owner uses the OnStar RemoteLink app within Wi-fi range of the car, OwnStar exploited an authentication flaw in the app to intercept the user's credentials and send them wirelessly to the hacker. And with those credentials in hand, a hacker could do anything to the vehicle that the RemoteLink app allows, including tracking it, unlocking doors, honking the horn, starting the ignition and accessing all the personal information in the user's OnStar account. "If I can intercept that communication, I can take full control and behave as the user indefinitely," Kamkar told WIRED earlier this week.
GM responded yesterday by saying that it had resolved the issue through a simple fix on its back end servers. But in a followup phone call with Kamkar, he told WIRED that he could still steal the app's credentials with his OwnStar device. He was also still able to track the location of his friend's 2013 Chevy Volt, the car on which he'd previously tested his attack. Kamkar says he later spoke with GM's head of product cybersecurity that afternoon and detailed the remaining issues.
Though a GM spokesperson wouldn't acknowledge the company's failed fix Thursday, a tweet from GM's OnStar twitter account noted that an "enhanced RemoteLink app will be available soon to fully mitigate the risk," and the company announced its update today. Kamkar has now confirmed to WIRED that the latest version of the RemoteLink iOS app prevents its credentials from being stolen by his OwnStar device.
If GM's OnStar vulnerability is resolved, it still represents just one in a rash of new car hacks that have been and will be revealed in the run-up to the Black Hat and DefCon hacker conferences next week in Las Vegas. Earlier this month, WIRED revealed that security researchers Charlie Miller and Chris Valasek had wirelessly hacked a 2014 Jeep Cherokee, a demonstration that led to a recall for 1.4 million Chrysler vehicles. Kamkar has also emphasized that OnStar's flaws likely aren't unique. He plans to reveal another attack in cars' security systems at DefCon, and says he had developed yet another attack on a different carmakers' digital systems, though that issue was fixed without his help. (He declined to reveal more about that separate research.) Kamkar says he was nonetheless able to refocus his research on GM OnStar and very quickly find another serious vulnerability in GM's software.
That's a sign, he says, of just how inexperienced automakers are when it comes to cybersecurity, and just how many bugs may be left to find and fix in internet-connected cars. “We need to start paying attention to this," he told WIRED earlier this week. "Or cars will continue to get owned."
