How a $100 Gadget Can Hijack GM Cars

Samy Kamkar has struck again.

The Los Angeles-based white-hat hacker, whom we last encountered when he used a child's toy to open garage doors, has built a $100 device that intercepts the signals from a driver's smartphone and uses them to unlock the doors, honk the horn or even start the engine of the victim's General Motors vehicle.

MORE: How to Patch Your Fiat Chrysler Vehicle Against Hackers

This isn't as serious as the flaw revealed last week in Fiat Chrysler vehicles, which let hackers remotely cut the brakes or disable the transmission of cars and trucks equipped with Chrysler's Uconnect service. (Under pressure from government regulators, Fiat Chrysler issued a recall of 1.4 million vehicles last Friday.) But it once again demonstrates the risks inherent in connecting cars to the Internet — risks that car makers often don't fully consider.

"Fortunately, the issue [with the OnStar hack] lies with the mobile software, and is not a problem with the vehicles themselves," Kamkar said in a YouTube video he posted today (July 30). "GM and OnStar have so far been receptive to me, and are already working on a resolution to protect consumers."

A GM spokesperson told Wired News earlier today that the problem had already been fixed, but Kamkar tweeted that it hadn't.

The problem lies in GM's OnStar RemoteLink app, which has encryption flaws that allow malicious Wi-Fi hotspots to intercept its signals and steal the user's username and password. Kamkar built a small battery-powered computer that does just that, using parts that add up to about $100.

The catch is that the computer, which Kamkar cheekily dubbed "OwnStar," has to be within Wi-Fi range of a specific vehicle's driver's phone — say, for example, under the seat or strapped to a bumper.

It captures the credentials for the driver's OnStar connection by pretending to be a "known" Wi-Fi hotspot, such as "attwifi," then sends the credentials via cellular network to the attacker's own phone.

The attacker then uses his own OnStar RemoteLink app to connect to the victim's car over a cellular network. Just like the true owner, the attacker can unlock the doors, turn on the lights, honk the horn, locate the vehicle or even start the engine. He can't drive away, however — that requires an actual key or keyfob.

"To prevent this kind of attack," Kamkar says in the video, "I suggest not opening the RemoteLink app up until an update has been provided from OnStar."

Another way to reduce the chances of an attack would be for users of the OnStar app to turn off Wi-Fi on their phones when they leave the house. They'll still be able to use the OnStar app without Wi-Fi.

Kamkar plans to provide further details on OwnStar next weekend at the DEF CON hacker conference in Las Vegas.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Online Security
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Android 12
Google March Android Security Update fixes two high severity vulnerabilities — update now
An Android bot next to an Android TV remote
Millions of Android TVs hijacked in massive botnet — how to see if yours is at risk
Poster of Elon Musk saying "I am stealing from you"
Elon Musk's DOGE blocked from accessing your data – and 3 in 4 Americans agree
A fake text message on a smartphone being held by both hands.
Toll road scams are worse than ever — what to look for and how to stay safe
Latest in News
Prime Gaming's selection of free games for March 2025
Amazon Prime is giving away these 20 games in March — get Fallout, Saints Row 3, and more free games now
Hugh Grant as Mr. Reed in "Heretic"
Max top 10 movies — here’s the 3 worth watching right now
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #371 (Sunday, March 9 2025)
Nintendo Switch 2
Nintendo Switch 2 price rumors and predictions — everything we've heard so far
Samsung Galaxy S25 Edge back
Samsung Galaxy S25 Edge latest leak hints at good news for pricing
Apple Intelligence logo on iPhone
Apple confirms Siri 2.0 is delayed — 'it’s going to take us longer than we thought'