July 30, 2015
It seems that hacking cars is the new big thing, and GM’s Onstar has been the latest victim. One of the Defcon Events will actually be to Hack a Tesla Model S Live on stage. This will be the first live debuting of an automotive Zero-day. OwnStar as it was dubbed by its creator has the capability of tricking the car into thinking a hacker is the car’s owner using the OnStar Mobile app. This hack is much less sinister than some of the other ones recently released (See FCA hack). However, this hack is much easier for the hacker to perpetrate. All it takes is $100, a mechanical thumb, and patience. Basically OwnStar performs a man-in-the-middle-attack on the GM subsidiary. OwnStar as presented by its creator Samy Kamkar is a small box; about half the size of a stereotypical metal lunch box. Inside are the radios and tiny raspberry pi computer. This $100 set up tricks the Mobile app into believing that it is an innocuous open WiFi connection like one at public place like a coffee shop. Now, I know my phone does not connect to open WiFi connections automatically, but apparently many do. If the user connects to the Onstar mobile App while unknowingly on this inconspicuous WiFi, OwnStar dodges the SSL encryption (or whatever) and convinces the app to transfer all the information to the hacker via 2G cellular connection. Some of you might be thinking, well the mobile app can be used from anywhere, what if the car is not nearby? For one that doesn’t matter, because they would only be doing what the user can from his own phone. But if the hacker wanted to steal property from within the car, he could do that too, because the app sends him geographical data as well. Thankfully, other than causing havoc within the car not much else can be done. The car could be remotely turned on, but without the key it could not be put in drive, so stealing the car is out of the question. Even if the car was remotely turned on, it would only be for a short period as the car automatically turns off after a certain period if the key does not enter the vicinity. The only real issue in this hack is the threat of property loss and/or damage. So if you are one of the million people using the OnStar App, and like keeping your faberge eggs next to the golden goose that lays them in the back seat (shame on you, that goose will die of a heatstroke, but also) there is a small chance that they will not be there when you return. Similarly, if you are an unpopular grade school teacher with a new-ish GM car you might find that the class clown found a more effective annoying way to egg your car. So just to be safe, Samy suggests that users not use their mobile App until the patch has been fixed. That should not take long, because he has already done the decent thing and gave them the heads up. But the clock is ticking, either OnStar beats Kamkar’s public and detailed explanation of the OwnStar exploit, or there will be period where GM is scrambling to plug the leak of users’ information.