OnStar issues new RemoteLink Apple app after threat

Melissa Burden
The Detroit News

General Motors Co. said Friday it is has issued a new OnStar RemoteLink app for iPhone and iPad users because of a security threat identified by a hacker who claimed to use a smartphone to take control of some functions of a Chevrolet Volt.

“GM product cyber security representatives reviewed a vulnerability identified by an independent researcher this week and moved quickly to secure our back-office system and reduce risk. That step required no customer action,” GM OnStar said in a statement Friday.

“Continued testing identified further action necessary on the Apple iOS version of RemoteLink app itself. That step has now been taken and an update is now available via Apple’s App Store.”

The company said RemoteLink users with iPhones and iPads would be notified by OnStar on Friday through an email. It includes a link to download the new app.

OnStar customers who open the link from iPhone will be directed to the App Store. Those who open the email from a computer will be directed to the OnStar.com RemoteLink web page where there are instructions on how to download the app, an OnStar spokesman said.

The previous version of the app will be decommissioned.

Android, Windows Phone and Blackberry users do not need to download a security fix.

On Thursday, security researcher Samy Kamkar posted a video to YouTube. On the video, he said he was able to hack intoRemoteLink by using a battery-powered device he dubbed “OwnStar.” With that, Kamkar said he was able to intercept communication between a mobile phone with the app and OnStar servers.

After doing that, Kamkar said he was able to control some functions of the Volt, such as remotely starting it and unlocking its doors. On Friday, he tweeted: “OwnStar update: I just confirmed @OnStar has resolved the vulnerability with the RemoteLink app update released today! Great turnaround!”

The RemoteLink app allows OnStar users to remotely start their cars, honk the horn, turn on lights or lock and unlock doors. Users also can locate their vehicle through the app and get vehicle diagnostic data such as tire pressure and oil life.

The security issue follows the first-ever cyber security recall last week of 1.4 million Fiat Chrysler Automobiles NV vehicles. That recall followed a Wired magazine report that hackers could wirelessly take control of some functions of a 2014 Jeep Cherokee such as steering, transmission and brakes.