Skip to main content

OnStar hack can remotely unlock cars and start engines, GM claims to have a fix

gm maps for self driving cars onstar
Following a dramatic demonstration of car hacking involving a Jeep Cherokee, a researcher claims to have found a way to break into General Motors’ OnStar telematics system and take control of certain vehicle functions remotely. GM says it has a fix, though.

Sammy Kamkar built a small device about the size of a router that he calls, a bit cheekily, “OwnStar.” It’s designed to break into the OnStar system and do anything one of its operators can do, including remotely track a car, lock or unlock doors, or start the engine, according to Wired.

Kamkar reported the issue to GM before the Wired story was published, and plans to reveal full details of the hack during the DefCon conference next week. The carmaker claims to have already fixed the problem by instituting stronger certificate controls at the servers that control the OnStar RemoteLink remote-access app.

OwnStar relies on this smartphone app, which sends signals to a car’s onboard computers. The device must be positioned somewhere on the car itself, close enough to intercept these signals. It then poses as the car’s actual systems, and harvests the car owner’s credentials. A hacker can use those credentials to mimic the app, and give remote commands to the car.

This was possible because the OnStar app wasn’t originally programmed to check for fake encryption certificates, something GM claims to have corrected in its recent update. Unlike with the Chrysler vulnerability exposed by researchers Chris Valasek and Charlie Miller, this was done through the OnStar system’s servers, so owners won’t have to take any action.

However, Kamkar isn’t convinced that the problem has been fixed. Yesterday, he tweeted that the issue is “not actually resolved yet.” He said he had spoken to GM, and was told the company was working on a final fix.

Earlier this week, GM announced that it had surpassed 1 billion OnStar customer interactions, including those using the app, phone calls, and in-vehicle interfaces. It says about 8.8 million of those interactions were done through the app, and claims to have over 7 million OnStar subscribers right now.

Editors' Recommendations

Stephen Edelstein
Stephen is a freelance automotive journalist covering all things cars. He likes anything with four wheels, from classic cars…
How GM’s Cruise self-driving cars navigate around double-parked vehicles
Cruise Automation Chevrolet Bolt EV in San Francisco

How Cruise Self-Driving Cars Navigate Double-Parked VehiclesFor self-driving cars, learning the rules of the road is just the beginning. Cars can be programmed to acknowledge stop signs and obey speed limits, but it's much harder to account for the unpredictability of human drivers. Double-parked cars are a common sight in most cities, so General Motors' Cruise autonomous-driving division is teaching its prototype self-driving cars how to navigate around them.

Before it can do anything, a self-driving car needs to figure out whether a vehicle in front of it is double parked. To do this, the car can use "contextual cues," such as the appearance of hazard lights, or the amount of time a vehicle has been stationary, according to a Cruise blog post. Self-driving cars can also recognize if the vehicle in front is a type that tends to double park frequently, such as a delivery truck. Cruise's cars rely on cameras, radar, and lidar to "see" what's around them, and machine learning to synthesize information into a conclusion. Human beings do this all the time, but it's something autonomous cars must be painstakingly taught.

Read more
Tuners may have a big problem with Chevy’s mid-engine Corvette, report says
2020 mid-engined Chevrolet Corvette

The upcoming mid-engine 2020 Chevrolet Corvette C8 promises a new level of performance, but the aftermarket might hate it.

The next-generation Corvette will be the first to place its engine behind the driver, and that engine will be controlled by a "unique encrypted ECU system," according to Muscle Cars & Trucks (via Motor Authority). The encryption will prevent changes to the ECU software in pursuit of more horsepower, according to the report.

Read more
GM Cruise to double its autonomous-car team to meet robo-taxi goal
Cruise Automation Chevrolet Bolt EV in San Francisco

General Motors’ autonomous-car unit is clearly going places, with plans announced this week to double its team by the end of 2019.

With its eye on the launch of a robo-taxi service before the end of the year, Cruise Automation will add an extra 1,000 workers to its team as the year progresses, Reuters reported this week.

Read more