Earlier this week, security technology researcher Samy Kamkar released a video of a device that he claimed allowed him to not only monitor but also intercept communications between the GM-OnStar RemoteLink app and OnStar-equipped vehicle to which the app was connected.

Key Fob features of OnStar’s RemoteLink 2.0 app
Cleverly called OwnStar, the hack was confirmed to be legitimate by GM-OnStar. Using the OwnStar device, Kamkar could access all of the functions available to a user logged into the OnStar RemoteLink app, including locking and unlocking doors, activating the horn and lights, starting the engine, and even finding the exact location of the vehicle on the app’s built-in map.
But the hack isn’t as bad as it sounds. For instance, Kamkar couldn’t drive the car away after unlocking the doors without having the vehicle’s key or key fob — a security feature available in all General Motors vehicles. In addition, the cars started remotely using Kamkar’s hack will automatically shut off after 10 minutes, and can only be started remotely twice until the owner physically entered the vehicle and started it from the cabin. Both are examples of security measures already present in GM vehicles. However, allowing a stranger to track your vehicle’s exact location on a map and unlock its doors isn’t exactly the most comforting feeling.
The good news is that General Motors quickly issued a fix to its own systems, which Kamkar discovered was not enough to fully address the issue. GM confirmed this and, hours later, issued an update to the OnStar RemoteLink app on the iOS platform that addresses the issue. It also disabled all versions of RemoteLink susceptible to the hack.
The OwnStar device uses a combination of basic computer called Raspberry Pi and several wireless adapters, all housed in a protective case. Kamkar has not fully detailed the nature of the OwnStar hack. Instead, he’s waiting to reveal details at the annual Defcon hacker conference in Las Vegas, Nevada.
OnStar is a wholly owned subsidiary of General Motors (GM Holdings LLC) providing automotive telematics services. The service launched launched in 1996 and provides in-vehicle safety, security and connectivity services in Chevrolet, Cadillac, Buick-GMC, and Opel-Vauxhall vehicles, including Automatic Crash Response, Stolen Vehicle Assistance, Turn-by-Turn Navigation, RemoteLink mobile app, and 4G LTE-based in-vehicle Wi-Fi hotspot. In 2015, OnStar recorded its 1 billionth customer interaction and topped more than 1 million 4G LTE Wi-Fi equipped-vehicles.
Comments
Good that GM acknowledged the the flaw and fixed it so quickly. They desperately need to stay on top of security and carefully evaluate the addition of any features that might compromise the cars’ systems. Fortunately, it seems like a good sign that nothing was able to be done to the car beyond what the RemoteLink app can control.
Maybe GM should create a rewards program like Google has, rewarding “white hat” researchers who find bugs in their systems and report them privately so they can be fixed rather than exploited.
They haven’t fixed shit! I paid cash for a 2015 Suburban LTZ for 70,000 and now this stupid app has quit working. When I try to use the Map Location Services, as soon as I enter my pin, the app crashes.
To be fair, they did fix the OwnStar hack, which has nothing to do with the app crashing during map.
What device are you using? What app version?