Skip to Content

White hat hacker: GM’s OnStar app is still vulnerable

The world of connected cars is supposed to be a safer place—an environment where sensors and software help drivers navigate the roads more safely. However, that connectedness is also exposing drivers, and automakers, to a new set of risks: hackers.

Just one week after experts demonstrated how they could remotely take over the controls of a Jeep Cherokee, a white hat hacker (the term used to describe those people who hack with benevolence) has uncovered a security flaw with the mobile app for General Motors’ OnStar vehicle communications system.

This time, the problem isn’t with the vehicles, but with the mobile software.

Hacker Samy Kamkar posted a video on YouTube on Thursday describing how a device that he built can intercept communications between the OnStar RemoteLink mobile app and the OnStar service, Wired reported. Using the device—that he calls OwnStar—Kamkar showed how he was able to locate, unlock, and remote-start vehicles. The device can give the attacker the car’s location, make, and model, as well as power to unlock and remote-start the car.

[youtube https://www.youtube.com/watch?v=3olXUbS-prU]

GM’s RemoteLink app started as a feature for Chevrolet Volt owners to remotely check the status of their vehicle’s battery life, according to the company. The idea expanded and connected with OnStar to give drivers up-to-date vehicle information such as oil level, tire pressure, fuel level, and lifetime miles per gallon. Today, the app has been installed on at least 1 million Android devices, according to Google Play Store.

GM’s RemoteLink smartphone app not only lets user unlock and remote-start their cars, it displays a summary of the diagnostic data GM collects. Drivers can track fuel economy or when service is needed. So, while this latest attack might not be as dangerous as someone taking over your car, it does show one more way a hacker can gain access to personal data. The OwnStar hacking device lets the attacks do just about anything—horns, lights, unlocking, and starting—to the car except put it in gear and drive away.

Kamkar says he’ll reveal more details about the OnStar security flaw, as well as other car-related attacks in future videos and at DefCon, an annual security conference to be held in Las Vegas next week.

 

GM’s product cybersecurity representatives have reviewed the recently identified potential vulnerability, spokeswoman Renee Rashid-Merem told Fortune, adding that the company hasn’t had any other reports of hacking the RemoteLink app aside from the demonstration by Kamkar.

GM (GM) worked with the researcher to secure its back-office system and reduce risk, according to Rashid-Merem. Kamkar says while GM and OnStar have been receptive, a vulnerability still exists. Kamkar recommends consumers not open the app until an update has been issued.

“The systems work is done, which was a major step to ensure security for customers,” Rashid-Merem said in an email. “To fully mitigate the issue, we are also doing a RemoteLink app update which will be available in app stores soon.”

GM is hardly a newcomer to connected cars. The company has offered some version of wireless connectivity in its vehicles since 1996, when OnStar was born. The company has also put Wi-Fi into dozens of new Buick, Chevrolet, Cadillac, and GMC models, thanks to an AT&T 4G radio module that gives users a high-speed link comparable to what you might experience on the latest Samsung Galaxy or 4G iPad.

The company even has a cybersecurity chief who is in charge of efforts to protect the computers that run GM cars. And yet, even with considerable experience and security measures, a vulnerability was exposed.

 

This latest incident shows how mobile apps are just another gateway into a vehicle.

It also reveals the significant hurdles that lay ahead for automakers. The recent formation of the Alliance of Automobile Manufacturers (AAM)—an alliance of 12 automakers including Ford (F), General Motors , and Mercedes-Benz—couldn’t have come any sooner.

The alliance is creating an information sharing and analysis center (ISAC) that’s expected to be up and running later this year. The Center will help participating companies keep each other aware of the latest hacking threats targeting vehicles.

Sign up for Data Sheet, Fortune’s daily morning newsletter about the business of technology.