GM, hacker say OnStar app issue not completely fixed

Melissa Burden
The Detroit News

General Motors Co. said it will make more fixes to its OnStar RemoteLink system after a hacker said he was able to remotely unlock doors and start engines.

“GM product cybersecurity representatives have reviewed the potential vulnerability recently identified,” OnStar spokesman Stuart Fowle said Thursday. “In working with the researcher, we moved quickly to secure our back-office system and reduce risk. However, further action is necessary on the RemoteLink app itself. We take all cyber matters seriously and an enhanced RemoteLink app will also be made available in app stores soon to fully mitigate the risk.”

GM said earlier Thursday it had fixed the problem, but security researcher Samy Kamkar said he was still able to get back into and control functions in the app after the automaker said it had implemented a fix.

Kamkar, in a YouTube video featuring a Chevrolet Volt, said he was able to hack into OnStar’s RemoteLink mobile app by using a device he called OwnStar to intercept communication between a mobile phone with the app and OnStar servers. Kamkar tweeted Thursday: “I’ve revealed OwnStar, a device that intercepts OnStar RemoteLink mobile app and can locate/unlock/remote start cars.”

While he was able to control some functions, he couldn’t drive away in the car; a key fob is needed for that.

RemoteLink is a smartphone app that allows OnStar users to remotely start their cars, honk the horn, turn on the lights or lock and unlock doors. Users also can locate their vehicle through the app and get vehicle diagnostic data such as tire pressure and oil life.

Kamkar, a 29-year-old Los Angeles software developer, said in a telephone interview Thursday that the company did fix some encryption issues, but not the issue related to his battery-powered device. In order for the device to work, he said it needs to be near a user or attached to the vehicle — and have someone open the RemoteLink app to work.

He said he notified GM last week about the problem. “They were receptive in working with me,” he said. “They are easy to work with and it appears they’re working very hard to solve this.”

Kamkar said he’ll report more details of his findings at next week’s Def Con hacker conference in Las Vegas, and in another video.

The automaker did not immediately say how or when it has made fixes.

Kamkar said he would advise OnStar users not use the RemoteLink app until OnStar issues an update to the app. He said he wanted to make the public aware of what’s possible with connected vehicles and devices, and to encourage people to pay attention to security implications of each.

The popular RemoteLink app generates 8.8 million interactions a month from customers. OnStar says it has 1.5 million active RemoteLink users.

The issue comes on the heels of the first-ever cyber security recall last week of 1.4 million Fiat Chrysler Automobiles NV vehicles. That recall came after Wired magazine reported hackers could wirelessly take control of functions such as steering, transmission and brakes in a 2014 Jeep Cherokee.

National Highway Traffic Safety Administration spokesman Gordon Trowbridge said the agency didn’t have an immediate comment. But a source familiar with the matter said NHTSA is aware of the vulnerability and has been in contact with GM.

GM told NHTSA the flaw could involve doors and engine start-stop, but doesn’t involve other critical safety systems. NHTSA has suggested to GM that it disable the app function until the automaker can come up with a fix and customers can install it.

GM and OnStar said work being done by Kamkar and other “security researchers” is helping make its in-vehicle systems more secure.

“Cyber security is a global issue facing virtually every industry today, and a lot of work continues to been done at GM in this space,” GM said in a statement. “Our customers’ safety and security is paramount and we are taking a multi-faceted approach to secure in-vehicle and connected vehicle systems, monitor and detect cyber-security threats, and design vehicle systems that can be updated with enhanced security as these potential threats arise.

On Friday, GM’s head of global product development Mark Reuss, told reporters that cyber security is one of the most important things it spends time on and that automakers are vulnerable to hackers. Reuss said protections must be put in place to prevent hackers from entering a system and not being able to control a system if they do get in.

Staff Writer David Shepardson contributed.