
Hacker shows he can locate, unlock and remote start GM vehicles - henrik_w
http://www.computerworld.com/article/2954668/telematics/hacker-shows-he-can-locate-unlock-and-remote-start-gm-vehicles.html
======
uptown
OnStar sent this email out on July 31st:

    
    
      Thank you for being a loyal OnStar customer. We're happy to have you as part
      of the OnStar family and appreciate the confidence you have in us.
    
      We are writing to inform you that we have recently made a security update to 
      your OnStar RemoteLink mobile app. As a result, the current version of the 
      app you have on your Apple device will no longer be functional and you 
      will need to update to the most recent version.
    
      Click here to download the Remote Link app.
    
      We hope that you will continue to use OnStar services and experience all 
      that OnStar has to offer. OnStar advisors are ready and available 24/7 
      to assist you.
    
      Sincerely,
      Onstar
      Terry M. Inch
      OnStar, Chief Operating Officer

------
aleh
I would never ever want to be in a car which acceleration can be controlled
remotely via Internet, even in theory.

~~~
quonn
These are security issues, it's not by design. We will see more issues like
this one and they _are_ bad, but this would be the least of my worries. There
is no money in exploiting these bugs and even so-called script kiddies will
probably not want to risk killing anyone. There are real risks, like buggy
software in your ECUs wich can be deadly without any Internet connection.

~~~
tomp
It _is_ by design, it must be.

There is the acceleration module, then there is a wireless networking me dule,
and there is a physical wire connecting them.

Very shitty, very dangerous design.

~~~
TeMPOraL
More like, there is this acceleration module and there is this pedal that must
hook into it, and there is this handy bus going through the car that you can
connect the two systems to in order to make them talk with each other.

And then you add a radio, and a knob under the steering wheel to control it,
and think - hey, I have this handy bus I can reuse so that they talk with each
other. And suddenly, your radio talks to your brakes.

I don't think it's malicious design. More likely stupid one, or just a result
of people being used to treating car hardware as trusted environment - where
obsessing over security is just a waste of resources. It's just that when you
introduce an Internet-connected device to that environment, it's not trusted
anymore.

~~~
tomp
I'd still argue that anyone who connects radio, travel computer or air
condition systems (non-critical, not real time) with breaking, acceleration
and external lightning systems (mission-critical, realtime, potentially
lethal) is maliciously stupid.

~~~
alienasa
In almost all cars there are in fact two CAN buses - a high speed, low
security bus that connects the radio to the entertainment system and so on,
and a low-speed, high security (in terms of components, not actual security)
but that connects the brakes to the ECU and so forth.

The issue is that frequently systems like OnStar sit on _both_ buses, because
they are used for things like engine diagnostics. If you investigate you'll
notice that every single one of these car hacking attacks starts somewhere,
pivots to an OnStar like system, then can control the car.

Doesn't really make your point less true, but fits perfectly in the features
over security mindset.

~~~
Too
Two CAN buses is a quite low number. Last system i saw, which was pretty old,
had at least half a dozen from what i could tell from my end of the system,
probably even more internally inside or behind other components. Modern cars
also use flexray, LIN, MOST and all other kinds of buses. The reason for this
is safety, bandwidth and that the delay jitter on a highly loaded can bus can
be relatively unpredictable for high frequency control requirements like
suspension, traction and other engine related control.

------
PinguTS
Actually, that is not really a car hack.

He intercepted the communication from the app. So it is an app hack like we
have seen numerous times. It my be different, but it sound like cookie
stealing what was possible with the Facebook app and the Instagram app. Then
with those credentials you can do all those things that you are supposed to do
like if you where the legit user.

All those functions are functions supposed to be done by the app. So there is
no hacking on the car side done. The interesting piece of information would
be: can that be used to actually hack the car?

~~~
travelton
Having purchased an internet connected Hyundai (via their BlueLink service)...
I've been curious whether I can access the vehicle directly through it's
internet connection.

So far, sniffing the packets from the iOS BlueLink app, it appears to broker
requests through a service by Covisint
[[http://www.covisint.com/](http://www.covisint.com/)]. From there, I cannot
figure out how the vehicle communicates to receive these messages.

The payloads between iOS and Covisint contain tons of information about the
vehicle, but nothing that exposes the communications between the vehicle and
BlueLink or Covisint.

The vehicle has the ability to connect to Wifi... I will prod at that next. :)

~~~
michaelt

      From there, I cannot figure out how the vehicle
      communicates to receive these messages.
    

Prediction: 3G/4G, with specific settings on the SIM giving it access to a
private APN.

~~~
JonathonW
And, if you're lucky, it's connecting to a private IP network.

The Chrysler hack was possible because the cars' built-in cell connection
[i]wasn't[/i] connecting to a private network; the cars were unfirewalled and
accessible to anything else that happened to be on Sprint's cellular data
network.

------
hoopism
I am a volt owner and have the app mentioned in the article...

It appears that the hacker can gain access to whatever the phone app is
capable of... which is not THAT much really. You can absolutely start and stop
the car but you need the key fob to actually drive the car and I don't believe
you can stop it when it is actually being driven.

There is no speed or braking controls in the app. You can unlock/lock,
start/stop and trigger the alarm.

In addition the the device must be near the car and the user must be using the
app.

I am glad they are patching this, but it's really not on par with prior
vulnerabilities as far as I can tell.

~~~
kordless
If I recall, there was an article a few years ago about OnStar helping the
cops turn off a car that had been stolen.

Turning off a car while you are driving it is a big deal.

~~~
logfromblammo
The official GM OnStar app exposes certain do-it-yourself features to the
phone user, such as remote start, lock/unlock, and "I forgot where I parked"
alerting. These are the same functions that often appear on key fob buttons.

OnStar is capable of performing more functions, such as locating the car when
it is out of sight/sound range, slowing down the engine, locking down the
ignition, and performing remote diagnostics.

I couldn't confirm this by reading the article, but it might be possible that
the protocols and APIs used by the app could be hacked to perform OnStar
functions that were not intended for use through the app.

So if the app sends OnStarApp( REMOTE_UNLOCK, VEHICLE_ID, APP_AUTH_KEY ),
someone might try skimming the authentication credentials, and then send
OnStarApp( STOLEN_ENGINE_SLOWDOWN, VEHICLE_ID, APP_AUTH_KEY ).

In GM's mind, the app is trusted software, so any message that looks like it
came from the app must have been requested by the owner, through the app. And
since the app can only send "safe" commands, like those performed by a radio
key fob, OnStar can simply execute whatever command the app message requests
without checking it. That would be the same way the CANbus works. If a valid
message appears on the bus, addressed to your microcontroller, you act on it
as though it were genuine.

They aren't software developers. They're automotive engineers. The design
goals are different. In their world, Eve never listens to other people's
conversations, cosmic rays never flip bits in memory, and no one outside the
company will ever understand your car better than your own engineers.

But there are people out there who _will_ try to figure out if they can pop
the trunk release using any component of the car _except_ the trunk release
button. Hackers do that kind of thing for fun. And, in doing so, they may find
out that not only can they do that, but they can also do things like shut off
the engine with a maliciously malformed digital radio station signal.

Then they connect a handheld yagi to their laptop, broadcast the signal at a
friend's car, and tell them to hit the "scan" button on their radio while
idling in their driveway. Then it hits 88.1-3, a recording of "I'm sorry Dave,
I'm afraid I can't do that" plays over the car speakers, and then the engine
shuts off. It is a source of great amusement, until the "Oh, shit" thought
occurs: "We did this for giggles. Someone else could do the same thing to
murder people."

Then they contact the auto manufacturers, who don't do much about it. Then
they present it to DefCon, and talk to the media. And we _still_ don't have an
acceptable solution. Certain models of car are potentially vulnerable to
attacks that we can demonstrate in controlled tests, and which are possibly
occurring in the wild in a way that cannot be easily detected.

------
Aoyagi
I'm curious - what happens to these cars (not specifically GM's, just these
"smartcars" in general) when you disable/disconnect/destroy the (presumably)
SIM card or whatever it uses to connect to cell data?

~~~
computator
Another question you should ask is How difficult is it to disable OnStar? The
answer: Quite difficult.

OnStar's module is in deeply embedded inside the car and in different
locations in different models. OnStar is tied into the vehicle diagnostics and
electrical system. If you manage to find it, and pull its cables out or
something straightforward like that, your car will probably report an engine
error and not start. (This issue has been reported and discussed extensively
in car hacking forums.)

I asked my local GM dealer--a very large dealer, by the way--about disabling
OnStar permanently (at the hardware level). They told me (a) they don't know
how to do it, (b) I'm the first person to ever ask about it, (c) they think it
might void the warranty (I don't know if they are right or wrong), and (d)
they're unwilling to do it.

~~~
JustSomeNobody
GM would go after you and your dealer for a DMCA vilolation.

Sadly, I'm not even being sarcastic.

~~~
inversionOf
You aren't being sarcastic, but instead are simply making things up.

GM dealers are all supposed to know how to disable OnStar, and indeed it is
usually actually quite easy for an end user to do, with no negative impact on
the vehicle. I have a 2010 Traverse and disconnected the OnStar module and
antennas with no negative impact outside of OnStar -- it is in an easily
accessed compartment near the back of the vehicle.

Some dealerships simply never deal with this, though, just as they are
supposed to know how to disable the passenger side airbag but many have no
clue and act incredulous. It just isn't that common.

GM doesn't widely share the information on disabling it because ostensibly a
purpose of the system is theft recovery -- that if your car is stolen they can
track it, which becomes less achievable if every thief just pulls a fuse or
something. Nonetheless the information is out there and easy to find.

~~~
geggam
Why is it you as the owner of the car cannot disable something inside your car
that doesnt relate to your ability to be transported.... that IS being
targeted with the DMCA.

~~~
inversionOf
Who said you _can 't_? Again, there is a simple little box with a wire
connector that you can easily disconnect. I did exactly that. Fear mongering
about how everything will start failing is not backed by reality.

~~~
geggam
GM is joining John Deere in this fight

[http://www.wired.com/2015/04/dmca-ownership-john-
deere/](http://www.wired.com/2015/04/dmca-ownership-john-deere/)

~~~
Aoyagi
If this thing is related at all, it's about not "hacking" the OnStar.

------
merpnderp
The article says that Kamkar intercepts the connection from a user's phone.
Wouldn't that either imply this only works for phones on weak 2/3g connections
or that the hack is much more impressive in that 4g/lte connections can be
intercepted?

~~~
nly
Possibly 2G attack. Hardware visible in the video is fairly ordinary

    
    
        - Raspberry Pi
        - RTL8187L USB 2.0 WiFi module  
        - Adafruit FONA mini GSM/GPRS module[0]. Not LTE capable.
    

[0] [https://learn.adafruit.com/adafruit-fona-mini-gsm-gprs-
cellu...](https://learn.adafruit.com/adafruit-fona-mini-gsm-gprs-cellular-
phone-module/overview)

~~~
noinsight
This FONA thing is pretty cool, I've been wondering how you could (simply)
create an SMS-based service.

~~~
emilburzo
A cheap Android phone might be easier.

------
rogeryu
Imagine this: smart kid creates app that let horns of multiple cars in parking
lot honk like in a symphony. Even more fun: someone walks over that parking
lot, and you follow them with honks from different cars. Man, I would love to
see that!

------
Sir_Cmpwn
The sci-fi movie version of hackers in the future, who can bend everything
around them to their will, is perhaps not so far fetched. Instead of future
hackers being really good at it, maybe the vendors that build everything are
just incompetent.

~~~
mtgx
And we don't even have fully autonomous cars on the street yet. That's when
the _real fun_ will begin.

------
kofejnik
Why would a car be online at all, especially when parked? What is the benefit
to consumer?

~~~
dangrossman
* In the winter, you can start the car's heat while you're inside so it's warmed up when you get in.

* In the summer, you can start the car's a/c so it's cooled down when you get in.

* Send the address I just looked up in Google Maps to the car's navigation system, so I don't have to re-type it when I get in, I can just start driving.

* I drive an electric car, and also check battery level from inside so I'm sure I have enough range to get to my destination, and can tell the car to start charging remotely, or schedule charging windows in advance.

I find all of these internet-enabled features useful.

~~~
kuschku
Fun fact: The first two use cases are actually illegal in Germany. You may not
run the motor or any in-car appliances while the car is not moving, and you
may not move the car if it is not desperately necessary (yes, taking the car
to visit your neighbor 20m away is actually illegal)

------
shultays
Why embedded platforms does not give a damn about security? It looks like they
just don't care.

~~~
munin
here's a scenario, let's say that GM goes hog wild after this and hires every
expert security researcher with experience in this domain. they create an
internal tiger team for security. they re-organize their entire product
delivery pipeline to incorporate internal and external security audits and
they publish everything they do. and they create and fund an open bug bounty
program for bugs in all auto manufacturers (proxied through a non-profit) and
make a "pwn2own for cars" or something and after five years, GM cars are
measurably more secure than any other car manufacturer.

in this future in five years, do you buy GM? no? that's why they don't give a
damn about security.

~~~
kabdib
You could make a "drive by" (in the literal sense) gizmo that bricks
vulnerable cars, maybe even causes expensive physical damage. Can you start a
car fire by controlling fuel pressure pumps and injectors, or destroy a
turbocharger? Stick a ten minute delay in your injected code and you're long
gone.

GM (or really, virtually any car manufacturer with the possible exception of
Tesla) would be caught flat-footed.

Firmware in consumer products ( _especially_ where radio or network access is
present) needs to have a security model. Car makers have been betting they
didn't need to spend much money worrying about security; it doesn't look like
that bet is going to pay off.

If this becomes a thing that any kid with $30 of electronics can do, dinosaur
makers are toast.

~~~
grkvlt
I hate to break it to you, but any kid with USD 0.10 can start a fire in a car
today. It requires a.) one rock and b.) one box of matches. Break a window
with the rock, then throw lit matches onto the upholstery. Really, the threat
model is _NOT_ disaffected kids.

------
at-fates-hands
While the paranoia about this has been rampant for a while, this article (from
last year) points out that manufacturers ARE working on this and have been for
some time:

[http://money.cnn.com/2014/06/01/technology/security/car-
hack...](http://money.cnn.com/2014/06/01/technology/security/car-hack/)

 _Continental, one of the world 's three major auto parts suppliers, is
partnering with IBM (IBM) and Cisco (CSCO) to make firewalls that control the
information flow between the car's devices. Until it gets security all figured
out, the German company is holding back from adding full Internet connectivity
features, such as real-time information from the engine that alerts the local
car shop ahead of time._

 _Ford (F) hardware has built-in firewalls to prevent malicious tampering, and
the company has a team of noble hackers constantly probing for weaknesses._

 _Toyota (TM) does all that too, plus it embeds security chips in the tiny
computers throughout the car, narrowing how they communicate and lessening the
chance of outsider interference. The company even has forward-thinking plans
this year to visit the world 's largest hacker conference, Black Hat._

 _It should be no surprise that Tesla (TSLA) is ahead of the pack. The Model S
is the most advanced and connected car currently available. It 's worth noting
the company's mature approach to addressing vulnerabilities. Instead of
hunting down hackers who spot weaknesses, they reward them with an
"Information Security" badge that works like a Willy Wonka golden ticket,
granting exclusive access to Tesla's factory in Fremont, Calif. The company
recently sent one to a British hacker who goes by Jon of Bitquark._

But of course the government isn't helping much either. . .

 _...federal regulators will soon demand that cars automatically relay
information wirelessly to one another as part of the U.S. government 's
vehicle-to-vehicle communication program. Those car-to-car messages will one
day be able to engage brakes -- or your steering wheel._

~~~
jakeogh
"...federal regulators will soon demand that cars automatically relay
information wirelessly to one another as part of the U.S. government's
vehicle-to-vehicle communication program. Those car-to-car messages will one
day be able to engage brakes -- or your steering wheel"

That's bad. Governments are (by far) the most violent organizations on earth.
They expand to control everything they can. The actions of power are always to
increase one's reliance on it. It's almost a law of nature. If we give up our
ability to control our momentum and kinetic energy, it's more than a slippery
slope. It's a path to black boxes in everything, including people.

------
markbnj
>> We take all cyber matters seriously

Because nothing says serious security like using the word "cyber" twice in
your statement.

------
ams6110
I'm sticking with my old cars that have no computers and start with a key.

~~~
ChrisArgyle
Same here although I wonder if any vehicles allow you to shut off the wireless
radios a la "airplane mode".

------
bradleyland
Your car is insured and is easily replaceable.

Car theft has declined precipitously in recent years. According to the NY
Times [1], in 1990 there were 147,000 cars reported stolen in NYC. In 2013,
that number had dropped to 7,400. On a per capita basis, it went from 1:50 to
1:1,100; a 96% drop. This dramatic reduction in theft cannot be solely
attributed to an overall reduction in crime either.

This is not an argument for the status quo. I'm just pointing out that the
principles being espoused in the responses here aren't axioms, they're value
judgements. As software developers, we're taught to be hyper-paranoid when it
comes to security, and we should be. That's how a culture of security is
built.

However, in a broad sense, a balance must be struck. Like it or not, there is
an acceptable rate of car theft, and that rate is non-zero. The acceptable
theft rate is defined by what consumers are willing to pay to insurance
companies to take on the risk and the assessment of the balance between
probability and the anticipated inconvenience of having their car stolen.
Consumer choices are defined by the alternatives, though. If the solution is
that cars shouldn't have these features at all, can you find that car? What
else do you give up in the process? Unless automakers ignore the problem, and
theft rates skyrocket, buyers are still going to seek out these network
enabled features because their convenience outweighs the risks.

Of course, it could be argued that we'll see a rise in theft again as
criminals learn to use new technologies to steal cars. This has already
happened in some places. BMW has run in to a couple of fairly high profile
cases of this recently. In one case, attackers combined the easy accessibility
of the ODB II port from a broken window with a security weakness in the cars
software to bypass all the theft protection. No network access required!

The linking of the CANbus to network systems is too enticing from a consumer
convenience perspective. That genie is out of the bottle.

1: [http://www.nytimes.com/2014/08/12/upshot/heres-why-
stealing-...](http://www.nytimes.com/2014/08/12/upshot/heres-why-stealing-
cars-went-out-of-fashion.html?_r=0&abt=0002&abg=1)

------
jgalt212
For reasons like this, I am remain very wary of the Internet of Things.

~~~
Panoramix
IoT is one of the most useless large-scale projects that humanity has embarked
on. A giant waste of resources across thousands of companies, so your fridge
can order more milk for you. Spending billions in solving a non-problem, and
creating a myriad of vulnerabilities everywhere.

It would be amazing if we as a society would spend all that money and effort
in worthy problems.

~~~
tunap
"It would be amazing if we as a society would spend all that money and effort
in worthy problems."

On the contrary, monetization for the sake of wealth generation is a
worthwhile effort in a society based on materialism & selfish desires. We have
been programmed all our lives to take & want & connive(perfected to a science
in the US & most 1st World countries), that's what capitalism has evolved to,
IMO. This Internet Of Other Peoples' Things is just the latest, most efficient
way they have found to wheedle, cajole and manipulate us fools from our
money!Plus, don't forget the data collection opportunities! Hitler would love
the IOOPTs.

Although, Windows 10 looks to be breaking some pretty scary ground. Google &
Apple eat your hearts out!

------
codewithcheese
Samy does some great hacks, always impressed with the amount of effort he puts
into developing the hack. Here's his video which the article is based on
[https://www.youtube.com/watch?v=3olXUbS-
prU](https://www.youtube.com/watch?v=3olXUbS-prU)

Also his motorized combo lock breaker has made HN front page before
[https://www.youtube.com/watch?v=YcpSvHpbHQ4](https://www.youtube.com/watch?v=YcpSvHpbHQ4)

~~~
comrh
Also Evercookie and a drone that seeks and hacks other drones. His output is
seriously impressive.

------
lips
Is there _any_ sort of hardware network "OFF" switch in these bad-ideas-on-
wheels?

~~~
tunap
I'm not certain, but I imagine removing the comms would mitigate the threat.
First thing I did when I bought my new~ish GMC was remove the OnStar module
from under the backseat. I'm sure there is still a 'blackbox' somewhere, but
never found *ny indication it has WAN capabilities. Of course, I disabled XM
too... not so much for paranoia's sake, I just needed an input for my media
device.

------
rootbear
The prefix code to control my car's shields is 16309. Maybe I should change
it.

------
tylercubell
Is the car receiving commands indirectly through OnStar itself or directly
from a smartphone connected to the in-car wifi?

~~~
travelton
The commands are likely brokered through a cloud based service. It sounds like
the OnStar hack captured the authentication token and used that to talk to the
central service to send commands to the vehicle.

------
btbuildem
Self driving cars are going to be fun

------
gardnr
You had me at locate.

