August 18, 2015
Samy Kamkar is Security researcher; who, earlier this month; exposed a vulnerability in GM or more specifically OnStar’s programming with a device he called OwnStar. Before heading to last week’s annual Def Con in Las Vegas, he showed the Zero Day to GM and OnStar for them to quickly address the problem. Despite this, he still had a few Zero Days to expose at the Hacking conference. Now the OwnStar device can use more of its web maliciously, as the list of vehicles with similar oversights has expanded to include BMW, Mercedes, and Chrysler vehicles. The device is quite simple and frighteningly inexpensive to make. With $100 a hacker could do anything except put your car in drive. Beyond a $100 investment all it takes is a bit of patience. The box (that is smaller than 3 VHS stacked on top of each other) holds three radio transmitters and a small computer. The radios put out a WiFi signal while the computer tricks iOS connected devices into connecting to this malicious WiFi. Think of OwnStar as the equivalent to an illegal gillnet, it dangles behind a ship mercilessly entangling everything it can. Not everything caught can be eaten (hacked); many of the fish are tossed back into the ocean (preferably alive, (sometimes they explode, but none of this is part of the analogy here)). Though I suppose a hacker/mechanic could put your airbag under your seat (hopefully not one made by Takata Corporation). Unfortunately, some fish are delicacies, like the rebranded Patagonian Toothfish (Chilean Sea bass) which get sold for a fortune and eaten, or unlocked from an App and looted or vandalized. At first it was just OnStar (hence the name OwnStar) but now the web attack has expanded its capabilities; Chrysler UConnect, MBrace, BMW Remote and many other Apps on iOS are vulnerable to the inexpensive WiFi mimicking device. The reassuring aspect is that the car cannot be completely stolen, but still, with enough malice and forethought the exploit is still rather sobering. Especially when one considers how quickly the exploits were discovered. Kamkar was actually planning to expose another system’s shortcomings at Def Con, but it was patched before the event. So he decided to find a new flaw… a few weeks before the convention… and succeeded. He then told GM/OnStar about the exploit and was still able to shock hackers at the convention by after discovering he could use the same device on thousands (more likely millions of other cars). Hilariously, the only saving grace has been the US Government. Ironically, it was not on purpose. Automotive software safety was not even in the US Government’s zeitgeist until the FCA hack. The reason things were not worse was the fact that legislation is notoriously sluggish when it comes to appeasing new technologies. The reason cars cannot park themselves or drive remotely is not because the technology does not exist, but because the laws pertaining to them do not. Had OwnStar’s web of efficacy expanded when cars had the ability to drive remotely or autonomously, they would be driving off into hacker hands while automakers scramble to fix fatal flaws.