How a $100 Gadget Can Hijack GM Cars

Samy Kamkar has struck again.

The Los Angeles-based white-hat hacker, whom we last encountered when he used a child's toy to open garage doors, has built a $100 device that intercepts the signals from a driver's smartphone and uses them to unlock the doors, honk the horn or even start the engine of the victim's General Motors vehicle.

MORE: How to Patch Your Fiat Chrysler Vehicle Against Hackers

This isn't as serious as the flaw revealed last week in Fiat Chrysler vehicles, which let hackers remotely cut the brakes or disable the transmission of cars and trucks equipped with Chrysler's Uconnect service. (Under pressure from government regulators, Fiat Chrysler issued a recall of 1.4 million vehicles last Friday.) But it once again demonstrates the risks inherent in connecting cars to the Internet — risks that car makers often don't fully consider.

"Fortunately, the issue [with the OnStar hack] lies with the mobile software, and is not a problem with the vehicles themselves," Kamkar said in a YouTube video he posted today (July 30). "GM and OnStar have so far been receptive to me, and are already working on a resolution to protect consumers."

A GM spokesperson told Wired News earlier today that the problem had already been fixed, but Kamkar tweeted that it hadn't.

The problem lies in GM's OnStar RemoteLink app, which has encryption flaws that allow malicious Wi-Fi hotspots to intercept its signals and steal the user's username and password. Kamkar built a small battery-powered computer that does just that, using parts that add up to about $100.

The catch is that the computer, which Kamkar cheekily dubbed "OwnStar," has to be within Wi-Fi range of a specific vehicle's driver's phone — say, for example, under the seat or strapped to a bumper.

It captures the credentials for the driver's OnStar connection by pretending to be a "known" Wi-Fi hotspot, such as "attwifi," then sends the credentials via cellular network to the attacker's own phone.

The attacker then uses his own OnStar RemoteLink app to connect to the victim's car over a cellular network. Just like the true owner, the attacker can unlock the doors, turn on the lights, honk the horn, locate the vehicle or even start the engine. He can't drive away, however — that requires an actual key or keyfob.

"To prevent this kind of attack," Kamkar says in the video, "I suggest not opening the RemoteLink app up until an update has been provided from OnStar."

Another way to reduce the chances of an attack would be for users of the OnStar app to turn off Wi-Fi on their phones when they leave the house. They'll still be able to use the OnStar app without Wi-Fi.

Kamkar plans to provide further details on OwnStar next weekend at the DEF CON hacker conference in Las Vegas.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.