GM O(w)nStar

After the Fiat-Chrysler uConnect vulnerability it is now GM that has to fix a certain security flaw in their OnStar system. In contrast to the uConnect hack, this exploit takes place using a flaw in the RemoteLink mobile phone companion app of OnStar. The researcher Samy Kamkar uses a self-built device called OwnStar to get access to the user’s credentials by using a combination of wifi spoofing and man-in-the-middle attack.


The book-sized gadget he developed, which he calls “OwnStar” in a reference to the hacker term to “own” or gain control of a target computer, is designed to be hidden under the chassis or bumper of a GM vehicle the attacker is targeting. When the car’s owner uses the OnStar RemoteLink app within Wi-fi range of the car, OwnStar exploited an authentication flaw in the app to intercept the user’s credentials and send them wirelessly to the hacker.

Patch Your OnStar iOS App to Avoid Getting Your Car Hacked


“If I can intercept that communication, I can take full control and behave as the user indefinitely,” says Kamkar, a well-known security researcher and freelance developer. “From then on I can geolocate your car, go up to it and unlock it, and use all the functionalities that the RemoteLink software offers.”

This Gadget Hacks GM Cars to Locate, Unlock, and Start Them


Thankfully, GM seems to have resolved the problem with a change to its server software and update to its OnStar RemoteLink iOS app. Kamkar is scheduled to talk in detail about his hack at this year’s DefCon conference.


Leave a Comment