BOSTON/DETROIT, July 30 A researcher is advising
drivers to halt the use of a mobile app for General Motors Co’s
OnStar vehicle communications system, saying hackers can
exploit a security flaw in the product to remotely unlock cars
and start engines.
“White-hat” hacker Samy Kamkar posted a video on Thursday
saying he had figured out a way to “locate, unlock and
remote-start” vehicles by intercepting communications between
the OnStar RemoteLink mobile app and the OnStar service.
Kamkar said he plans to provide technical details on the
hack next week in Las Vegas at the Def Con conference, where
tens of thousands of hacking aficionados will gather to learn
about new cybersecurity vulnerabilities.
Kamkar released the video a week after Fiat Chrysler
Automobiles recalled some 1.4 million vehicles
after hacking experts demonstrated a more serious vulnerability
in the Jeep Cherokee. That bug allowed them to gain remote
control of a Jeep traveling at 70 miles per hour on a public
GM said its engineers had reviewed Kamkar’s research. “A fix
has already been implemented,” the company said in a statement.
Kamkar said he discussed the fix with representatives from
GM, but their efforts failed to thwart the attack method he
uncovered, which uses a device he built and dubbed ‘OwnStar.'”
“They have not yet fixed the bug that ‘OwnStar’ is
exploiting,” he told Reuters.
Representatives with GM did not immediately respond to
requests for comment on the status of the bug or fix.
The ‘OwnStar’ issue drew the attention of U.S. safety
regulators from the National Highway Traffic Safety
Representatives from the agency discussed the issue with GM,
said the flaw could involve doors and engine start-stop, but
does not involve other critical safety systems, according to a
person familiar with those discussions.
More than 3 million people have downloaded the OnStar
RemoteLink mobile app for Apple iOS and Google Inc
devices, according to OnStar’s website.
(Reporting by Bernie Woodall in Detroit and Jim Finkle in
Boston; Editing by Jonathan Oatis and Jeffrey Benkoe)