There's a new way to break into connected cars. In a report in Wired today, researcher Samy Kamkar revealed a homemade device he calls OwnStar. It's a small box about the size of a router, built to break into GM's OnStar system through a rogue Wi-Fi hotspot. When used successfully, the box let him do anything OnStar can do, including locate a vehicle remotely, unlock doors, or even start the engine. (Notably, OnStar doesn't allow for remote access to a car's steering, transmission, or brakes, cutting off the most frightening attacks.) Kamkar reported the vulnerability to General Motors prior to publication, and the company says it has already updated its system to protect against the attack, but the vulnerability stands as an illustration of how attackers might target connected car systems. The full details of the attack will be revealed in a presentation at DefCon next week.
To work properly, the OwnStar box has to be attached to the body of the car, close enough to intercept communications from the driver's phone. From there, the box masquerades as the car's own system and communicates with the OnStar app to harvest the driver's credentials. An attacker can then use those credentials to effectively mimic the app, giving orders to the car through the OnStar system. Available as a subscription service, OnStar has 7 million subscribers in the US and China, and passed its billionth customer interaction earlier this year.
The hack was possible because the OnStar app doesn't check for phony encryption certificates, allowing Kamkar's device to forge its own credentials to impersonate the car's onboard system. If you tried the same trick in Chrome, you'd get the red warning screen, but because OnStar isn't checking the certificate, Kamkar's device is able to skate through unnoticed. The good news for GM is that the vulnerability could be fixed by simply updating the Onstar system, instituting tougher certificat controls. That means that unlike the Chrysler hack announced last week, this bug can be patched easily through a server-side update, making it significantly less dangerous.
7/30 11:45AM: Updated with news of General Motors' update to protect against the attack.