Hacker Samy Kamkar unveiled his latest triumph this morning: OwnStar, a tiny box that acts as a Wi-Fi hotspot and intercepts commands sent from a driver's OnStar RemoteLink app, allowing an unauthorized user to locate, unlock or start the vehicle. Simply place the box somewhere in an OnStar-connected car and wait for the driver to start up the RemoteLink app within range of the vehicle. The driver's smartphone should automatically connect to OwnStar's network and, voila, the hacker now has all of the car owner's information (email, home address, final four digits on a credit card plus expiration date), and control of the car. GM has already issued one patch this morning aimed at securing the RemoteLink app, but it was unsuccessful, according to Kamkar.
Kamkar never intended to wreak havok with OwnStar, he said in an interview with Wired. He wanted to expose a vulnerability in the OnStar app and help GM fix it -- and it seems as if that's precisely what's happening. GM is working to patch the RemoteLink bug now and Kamkar says he's in contact with the company as they fix it. He plans to reveal more technical details about OwnStar at Defcon 2015, which runs from August 6th to the 9th in Las Vegas.
OwnStar update: GM told WIRED that OnStar bug was fixed, however it's not actually resolved yet. I spoke with GM & they're working on it now— Samy Kamkar (@samykamkar) July 30, 2015
@engadget We take all cyber matters very seriously. An enhanced RemoteLink app will be made available soon to fully mitigate the risk.— OnStar (@OnStar) July 30, 2015
This is the second major car-based hack to surface this month. On July 24th, Fiat Chrysler issued a voluntary recall of 1.4 million US vehicles with certain touchscreen entertainment systems, after Wired reported that it was possible to remotely cut the engine, disable and activate the brakes, and track the location of these cars.