My Thoughts on Technology and Jamaica: Security Researcher Sammy Kamkar GM OnStar Hack - How OwnStar can make your GM OnStar Vehicle Gone in 60 Seconds

Friday, July 31, 2015

Security Researcher Sammy Kamkar GM OnStar Hack - How OwnStar can make your GM OnStar Vehicle Gone in 60 Seconds

 Car hacking is now an official sport in the United States of America.

This is yet another Security Researcher, Sammy Kamkar, has declared that another type of connected vehicle is hackable.  This time it’s the General Motors’ OnStar telematics System as reported in the article “OnStar hack can remotely unlock cars and start engines, GM claims to have a fix”, published July 31, 2015 By Stephen Edelstein, DigitalTrends.



The researcher, Sammy Kamkar, claims that he built a device that can hack into GM's OnStar telematics System.  It does so by tapping into the communications between the OnStar RemoteLink remote-access App and the vehicles OnStar IVE.

Already some 3 million people in the US of A alone have downloaded the OnStar RemoteLink remote-access App onto their Apple iPhones and Google Android smartphones as reported in the article “Researcher says he can hack GM’s OnStar app, open vehicle, start engine”, published JULY 30, 2015 by REUTERS, putting them at risk.

Sammy Kamkar finds GM OnStar Vulnerability – 7 Million GM vehicles in USA and China are hackable

He claim to have discovered the vulnerably before the Security Researchers Charlie Miller and Chris Valasek had demonstrated in dramatic fashion that they'd hacked a 2014 Jeep Cherokee via the Iinternet as reported in my blog article entitled “Security Researcher hack a 2014 Jeep Cherokee - How to remotely hack an Internet Connected Vehicle as Remote Vehicle Homicide possible”.

Once he's compromised GM's OnStar System, he's able to not only remotely track the vehicle, but also open and close the doors and even shut down the engine as reported in the article “This gadget hacks GM Cars to locate, Unlock and start them (updated)”, published 07.30.15 by Andy Greenberg, Wired!

Like the original Jeep Cherokee researcher pair, he also plans to make a splash at the DefCon Conference and possibly the Black Hat Security Conference in Las Vegas come August 2015.

Coming a little over a week after the dramatic hacking of the 2014 Jeep Cherokee's Uconnect software, which is a model owned by Fiat Chrysler, this looks a little suspicious.

But it if is as serious a vulnerability as he claims, then GM’s 7 million OnStar subscribers in the US of A and China as reported in the article “New OnStar hack can unlock cars and start engines”, published July 30, 2015 By Russell Brandom, The Verge, are at risk.

So how serious is this vulnerability, really?

GM’s OnStar Hack - Less Dramatic but dangerous like Fiat Chrystler Uconnect hack

First, it'd be good to analyze how Security Researcher Sammy Kamkar hack works.

First, be built a Wireless Data Transceiver, which he calls “OwnStar” that can tap into the BlueTooth or Wi-Fi transmission between the OnStar RemoteLink remote-access App on the driver's smartphone and the OnStar System in the IVE (In-Vehicle Entertainment) System.



Unlike the vulnerability in Security Researchers Charlie Miller and Chris Valasek, this device has to be located close enough to the vehicle in order to tap into the communication to the OnStar System and listen in on instruction being sent to the  CAN (Controller Area Network) Bus. GM has the same vulnerability like the Fiat Chrysler vehicles; the Engine management System, IVE and Communications all share the same common CAN Bus!

So gain access to one and you can gain control of the entire vehicle functionality from the Radio straight down to the Engine, Brakes and Windows! You might reason to yourself that this hack isn't so serious, as you have to be in proximity of the vehicle in order to hack into its CAN Bus.

But in reality this vulnerability is just as bad as the one discovered the week before by Security Researchers Charlie Miller and Chris Valasek.

Security Researcher Sammy Kamkar GM OnStar Hack - How OwnStar can make you GM OnStar Vehicle Gone in 60 Seconds

In this case, you only need to install the device on the vehicle and then hide some distance away before the owner returns. The “OwnStar” device ten listens in on the Bluetooth communications between the GM vehicle's OnStar System and the OnStar RemoteLink remote-access App.



Because most of this data is unencrypted, the device, most likely attached under the vehicle's undercarriage by magnets, can constantly listen in on each command being sent through the day when the driver opens and closes their car remotely. It records the Bluetooth communications like a keylogger, which can occur as far away as 30 meters.

Once it has recorded enough of these transactions, which are effectively unencrypted access keys, the hacker can then revisit the vehicle at a convenient time and remove the device.

He can then take it home and using his laptop or desktop computer and suitable RS232C or USB interface, dump the memory store unto his laptop. Then using special decryption software, he can take anywhere from days to minutes to crack the keys and the channel used by the victim’s smartphone Bluetooth interface.

Once he has the keys, he can generate fake security certificates for the OnStar RemoteLink remote-access App Server, access in the Server as he was the driver. He can then use them to not only remotely track the vehicle, but also open and close the doors and even shut down the engine.

By authenticating himself as the user using the OnStar RemoteLink remote-access App via cellular Internet or even from a laptop, he can also use it at close range with a Bluetooth enable Smartphone to steal the vehicle, the ultimate prize after all his efforts.

No need to break into the vehicle in real time, as the owner using his or her smartphone repeatedly will basically give you the unencrypted keys over time.......and access to his vehicle at a later date at your choosing.

The OwnStar is thus quite appropriately named. The intent of the OwnStar electronics package is not to cause Remote Vehicular Homicide.

Rather, it's just an aid to stealing a high value connected Vehicle via taking advantage of the unencrypted communication between the OnStar RemoteLink remote-access App on the driver's smartphone and the OnStar System in the IVE (In-Vehicle Entertainment) System, which some 7 million GM customers currently use.

 With GM boasting of some 1 billion OnStar customer interactions, 8.8 million of which are done via the OnStar RemoteLink remote-access App, expect the next target of hackers to be the Server and the OnStar RemoteLink remote-access App itself.

OwnStar means GM OnStar IVE is hackable - How the NSA can remotely control your Vehicle

Remember, too,  that GM has signed up to with Apple Carplay and Android Auto for their 2016 line of Vehicles as reported in my blog article entitled “Apple Carplay and @Android Auto on GM Vehicles – How Smartphone OS Voice Assistant IVE are invading Hands-Free Driving Space”. 

If a device can be used to intercept the communications between the GM Vehicle's IVE and the OnStar RemoteLink remote-access App, why not exploit potential vulnerabilities in those Apps as well,  the Smartphone OS or even hack the Server that the App communicates?

After all, it's already possible to install an App on a Smartphone that can remotely allow a hacker to issue commands to the Baseband Processor and shut it down remotely as explained in my blog article entitled “NSA smartphone hack via the Baseband Processor - How NSA can remotely control your smartphone and Defense Against the Dark Arts”.
 
So wouldn’t it be possible for the NSA (National Security Agency), for example, to compromise your vehicle by hacking into the Apps, servers or a potential target's smartphone?

This was the plan that the Five Eyes Alliance had hatched to compromise the servers that hosted the Alibaba’s UC Browser App, based on Edward Snowden's revelations as explained in my Geezam blog article entitled “NSA and Five Eyes Alliance in Project Irritant Horn Spying on Arab Spring Jihadists”.

GM issues a fix, Researcher Sammy Kamkar says it’s not fixed – DefCon will reveal OwnStar in great detail

To date, GM claims to have fixed the vulnerability as reported in the article “GM quickly issues fix for OnStar hack, but service still vulnerable”, published July 30, 2015 by Tim Stevens, CNET News to guard their OnStar System against fake security certificates being sent to its servers that control the OnStar RemoteLink remote-access App.

But Security Researcher Sammy Kamkar says it's still not actually resolved as yet based on his communication with GM in the article as reported in the article “The GM OnStar hack still isn't completely fixed”, published July 31st 2015 by Cadie Thompson, Business Insider.

So come August 2015 at the DefCon Conference and possibly the Black Hat Security Conference in Las Vegas, Nevada, Security Researcher Sammy Kamkar's work will be on display, completely revealed for all to use as they see fit.

Hopefully by then, GM and other Car makers with similar known vulnerabilities, would have patched their systems.  Otherwise, they’ll really be Gone in 60 Seconds, Nicholas Cage Style!


No comments: