Car hacking is now an
official sport in the United States of America.
This is yet another Security Researcher, Sammy Kamkar, has
declared that another type of connected vehicle is hackable. This time it’s the General Motors’ OnStar
telematics System as reported in the article “OnStar
hack can remotely unlock cars and start engines, GM claims to have a fix”,
published July 31, 2015 By Stephen Edelstein, DigitalTrends.
The researcher, Sammy Kamkar, claims that he built a device
that can hack into GM's OnStar telematics System. It does so by tapping into the communications
between the OnStar RemoteLink remote-access App and the vehicles OnStar IVE.
Already some 3 million people in the US of A alone have
downloaded the OnStar RemoteLink remote-access App onto their Apple iPhones and
Google Android smartphones as reported in the article “Researcher
says he can hack GM’s OnStar app, open vehicle, start engine”, published
JULY 30, 2015 by REUTERS, putting them at
risk.
Sammy Kamkar finds
GM OnStar Vulnerability – 7 Million GM vehicles in USA and China are hackable
He claim to have discovered the vulnerably before the
Security Researchers Charlie Miller and Chris Valasek had demonstrated in
dramatic fashion that they'd hacked a 2014 Jeep Cherokee via the Iinternet as
reported in my blog
article entitled “Security
Researcher hack a 2014 Jeep Cherokee - How to remotely hack an Internet
Connected Vehicle as Remote Vehicle Homicide possible”.
Once he's compromised GM's OnStar System, he's able to not
only remotely track the vehicle, but also open and close the doors and even
shut down the engine as reported in the article “This
gadget hacks GM Cars to locate, Unlock and start them (updated)”, published
07.30.15 by Andy Greenberg, Wired!
Like the original Jeep Cherokee researcher pair, he also
plans to make a splash at the DefCon Conference and possibly the Black Hat
Security Conference in Las Vegas come August 2015.
Coming a little over a week after the dramatic hacking of
the 2014 Jeep Cherokee's Uconnect software, which is a model owned by Fiat
Chrysler, this looks a little suspicious.
But it if is as serious a vulnerability as he claims, then
GM’s 7 million OnStar subscribers in the US of A and China as reported in the
article “New
OnStar hack can unlock cars and start engines”, published July 30, 2015 By
Russell Brandom, The Verge, are at risk.
So how serious is this vulnerability, really?
GM’s OnStar Hack -
Less Dramatic but dangerous like Fiat Chrystler Uconnect hack
First, it'd be good to analyze how Security Researcher Sammy
Kamkar hack works.
First, be built a Wireless Data Transceiver, which he calls
“OwnStar” that can tap into the BlueTooth or Wi-Fi transmission between the OnStar
RemoteLink remote-access App on the driver's smartphone and the OnStar System
in the IVE (In-Vehicle Entertainment) System.
Unlike the vulnerability in Security Researchers Charlie
Miller and Chris Valasek, this device has to be located close enough to the
vehicle in order to tap into the communication to the OnStar System and listen in
on instruction being sent to the CAN
(Controller Area Network) Bus. GM has the same vulnerability like the Fiat
Chrysler vehicles; the Engine management System, IVE and Communications all
share the same common CAN Bus!
So gain access to one and you can gain control of the entire
vehicle functionality from the Radio straight down to the Engine, Brakes and
Windows! You might reason to yourself that this hack isn't so serious, as you
have to be in proximity of the vehicle in order to hack into its CAN Bus.
But in reality this vulnerability is just as bad as the one
discovered the week before by Security Researchers Charlie Miller and Chris
Valasek.
Security
Researcher Sammy Kamkar GM OnStar Hack - How OwnStar can make you GM OnStar
Vehicle Gone in 60 Seconds
In this case, you only need to install the device on the
vehicle and then hide some distance away before the owner returns. The
“OwnStar” device ten listens in on the Bluetooth communications between the GM
vehicle's OnStar System and the OnStar RemoteLink remote-access App.
Because most of this data is unencrypted, the device, most
likely attached under the vehicle's undercarriage by magnets, can constantly listen
in on each command being sent through the day when the driver opens and closes
their car remotely. It records the Bluetooth communications like a keylogger,
which can occur as far away as 30 meters.
Once it has recorded enough of these transactions, which are
effectively unencrypted access keys, the hacker can then revisit the vehicle at
a convenient time and remove the device.
He can then take it home and using his laptop or desktop
computer and suitable RS232C or USB interface, dump the memory store unto his
laptop. Then using special decryption software, he can take anywhere from days
to minutes to crack the keys and the channel used by the victim’s smartphone Bluetooth
interface.
Once he has the keys, he can generate fake security
certificates for the OnStar RemoteLink remote-access App Server, access in the Server
as he was the driver. He can then use them to not only remotely track the
vehicle, but also open and close the doors and even shut down the engine.
By authenticating himself as the user using the OnStar
RemoteLink remote-access App via cellular Internet or even from a laptop, he
can also use it at close range with a Bluetooth enable Smartphone to steal the
vehicle, the ultimate prize after all his efforts.
No need to break into the vehicle in real time, as the owner
using his or her smartphone repeatedly will basically give you the unencrypted
keys over time.......and access to his vehicle at a later date at your
choosing.
The OwnStar is thus quite appropriately named. The intent of
the OwnStar electronics package is not to cause Remote Vehicular Homicide.
Rather, it's just an aid to stealing a high value connected
Vehicle via taking advantage of the unencrypted communication between the OnStar
RemoteLink remote-access App on the driver's smartphone and the OnStar System
in the IVE (In-Vehicle Entertainment) System, which some 7 million GM customers
currently use.
With GM boasting of
some 1 billion OnStar customer interactions, 8.8 million of which are done via
the OnStar RemoteLink remote-access App, expect the next target of hackers to
be the Server and the OnStar RemoteLink remote-access App itself.
OwnStar means GM OnStar
IVE is hackable - How the NSA can remotely control your Vehicle
Remember, too, that
GM has signed up to with Apple Carplay and Android Auto for their 2016 line of
Vehicles as reported in my blog article
entitled “Apple
Carplay and @Android Auto on GM Vehicles – How Smartphone OS Voice Assistant
IVE are invading Hands-Free Driving Space”.
If a device can be used to intercept the communications
between the GM Vehicle's IVE and the OnStar RemoteLink remote-access App, why
not exploit potential vulnerabilities in those Apps as well, the Smartphone OS or even hack the Server that
the App communicates?
After all, it's already possible to install an App on a
Smartphone that can remotely allow a hacker to issue commands to the Baseband
Processor and shut it down remotely as explained in my blog article
entitled “NSA
smartphone hack via the Baseband Processor - How NSA can remotely control your
smartphone and Defense Against the Dark Arts”.
So wouldn’t it be possible for the NSA (National Security
Agency), for example, to compromise your vehicle by hacking into the Apps,
servers or a potential target's smartphone?
This was the plan that the Five Eyes Alliance had hatched to
compromise the servers that hosted the Alibaba’s UC Browser App, based on
Edward Snowden's revelations as explained in my Geezam
blog article entitled “NSA
and Five Eyes Alliance in Project Irritant Horn Spying on Arab Spring Jihadists”.
GM issues a fix,
Researcher Sammy Kamkar says it’s not fixed – DefCon will reveal OwnStar in
great detail
To date, GM claims to have fixed the vulnerability as
reported in the article “GM
quickly issues fix for OnStar hack, but service still vulnerable”,
published July 30, 2015 by Tim Stevens, CNET
News to guard their OnStar System against fake security certificates being
sent to its servers that control the OnStar RemoteLink remote-access App.
But Security Researcher Sammy Kamkar says it's still not
actually resolved as yet based on his communication with GM in the article as
reported in the article “The
GM OnStar hack still isn't completely fixed”, published July 31st 2015 by
Cadie Thompson, Business Insider.
So come August 2015 at the DefCon Conference and possibly
the Black Hat Security Conference in Las Vegas, Nevada, Security Researcher
Sammy Kamkar's work will be on display, completely revealed for all to use as
they see fit.
Hopefully by then, GM and other Car makers with similar
known vulnerabilities, would have patched their systems. Otherwise, they’ll really be Gone in 60
Seconds, Nicholas Cage Style!