Latest in Bmw

Image credit:

OwnStar car hacker can remotely unlock BMWs, Benz and Chrysler

2 Shares
Share
Tweet
Share

Sponsored Links

Last month security researcher Samy Kamkar announced a vulnerability that allowed him to remotely unlock OnStar-enabled GM cars. While that issue has been fixed, it looks like the same vulnerability found in OnStar is also present in BMW Remote, Mercedes' mbrace and Chrysler's Uconnect. Kamkar told Engadget via email, "the issue itself is the same exact SSL certificate issue that affected OnStar/GM (which they've resolved two weeks ago). It was barely any tweaking of the original system -- a few lines of code to add support per vehicle." Uh oh.

The OwnStar device intercepts communication between a vehicle and its companion app and sends that information -- including login information -- to Kamkar who then has control of the vehicle via the app and can unlock it.

If you're feeling smug about your vehicle because Kamkar hasn't called it out, you might want to curb that. The SSL certificate issue that allows a person to log in to a vehicle is pretty widespread. "Unfortunately it's prevalent among half the other mobile unlocking apps I've tested," Kamkar said.

A Chrysler spokesperson told Engadget, "Consumer safety and security is our highest priority." And that it "supports the responsible disclosure and remediation of cyber security vulnerabilities. Consistent with our focus on consumer safety and security FCA US opposes irresponsible disclosure of explicit 'how to' information that can help criminals gain unauthorized access to vehicles and vehicle systems."

Kamkar won't be releasing the updated code for OwnStar for at least 30 days so the automakers have a chance to update their systems. But if you're an automaker that hasn't been called out by hackers or security researchers, you might want to check your systems anyways.

We have contacted BMW and Mercedes Benz for this article and will update when they reply to our queries.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
2 Shares
Share
Tweet
Share

Popular on Engadget

The best iPhone screen protectors

The best iPhone screen protectors

View
IKEA begins selling its FYRTUR smart blinds in some US stores

IKEA begins selling its FYRTUR smart blinds in some US stores

View
The Engadget Podcast: What do we lose if Google is everywhere?

The Engadget Podcast: What do we lose if Google is everywhere?

View
Le Creuset's Star Wars cookware is available to pre-order

Le Creuset's Star Wars cookware is available to pre-order

View
Verizon and T-Mobile aren't supporting RCS on the Pixel 4 at launch

Verizon and T-Mobile aren't supporting RCS on the Pixel 4 at launch

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr