If you thought your pricey Benz or Bimmer had escaped the rash of recent hacks affecting Chrysler and GM cars, think again.
When security researcher Samy Kamkar revealed a bug in GM’s OnStar service last month that allowed a hacker to hijack its RemoteLink smartphone app, he warned that GM wouldn’t be the only target in an increasingly internet-connected auto industry rife with security flaws. Now Kamkar’s proven himself correct: He’s found that the internet services of three other carmakers suffer from exactly the same security issue, which could allow hackers to unlock vehicles over the internet, track them in some cases, and even remotely start their ignitions.
Over the last week, Kamkar has analyzed the iOS apps of BMW’s Remote, Mercedes-Benz mbrace, Chrysler Uconnect, and the alarm system Viper’s Smartstart, and found that all of those internet-connected vehicle services are vulnerable to the attack he used to hack GM’s OnStar RemoteLink app. “If you’re using any of these four apps, I can automatically get all of your log-in information and then indefinitely authenticate as you,” says Kamkar. “These apps give me different levels of control of your car. But they all give me some amount of control.”
Kamkar’s attack, which he first revealed to WIRED last month, uses a $100 homemade device he calls OwnStar, in a reference to GM’s OnStar and the hacker slang “to own”—or take control—of a target. Plant the device somewhere under a car’s body, and it can impersonate a familiar Wi-Fi network and trick a driver’s phone into connecting to it. When the driver uses his or her OnStar RemoteLink app within Wi-Fi range, the OwnStar device takes advantage of an authentication flaw in how the RemoteLink app implements SSL encryption, allowing the small box—little more than a Raspberry Pi computer and a collection of radios—to intercept the user’s credentials and send them over a cellular connection to the hacker. From then on, the hacker can do everything a legitimate OnStar customer can do, including locating, unlocking, and remotely starting his or her car.
Here’s Kamkar's video of OwnStar in action:
https://www.youtube.com/watch?v=3olXUbS-prU&feature=youtu.be
GM quickly responded to WIRED’s story about OwnStar with a software patch, requiring all its RemoteLink users to update. But Kamkar has now updated his OwnStar device to also intercept the credentials of BMW, Mercedes-Benz, Chrysler, and Viper's apps. However, unlike his OnStar hack, which he tested on a 2013 Chevy Volt, he hasn’t been able to try any of the stolen credentials from his tests on actual vehicles. He says he’s also holding off on releasing the code for his revamped attack to give the four companies a chance to fix their security problems.
Those four apps each have different capabilities that could allow a hacker using OwnStar to pull some nasty pranks or even break into a compromised vehicle. All four iOS apps allow remote locking and unlocking. The BMW, Mercedes-Benz, and Viper apps all allow the car to be located and tracked, too. And all but the Viper app allow a vehicle's ignition to be remotely started, though as with GM vehicles, it's likely the driver's key would have to be physically present to put the car into gear and drive away.
Viper didn't respond to a request for comment, saying it hoped to speak with Kamkar to learn more details about his work. But a Mercedes-Benz spokesperson wrote in an email to WIRED that "we don’t want to engage in speculation about potential hacks (often the result of extreme manipulation) that have very little likelihood of occurring in the real world and create unnecessary concern." A BMW spokeperson wrote in a statement that its apps "conform to the same industry standards as other apps that use SSL-encrypted communication with a backend, such as online banking apps." The statement added that "a man-in-the-middle attack on client-server communication can never be completely ruled out, but is virtually impossible to carry out and the probability of such a specific attack in everyday life is highly unlikely." (On that "virtually impossible" claim, Kamkar disagrees, reiterating that he has intercepted credentials from the company's app, and has even used the same attack to unlock an actual GM car last month.)1
A spokesperson for Chrysler parent company Fiat Chrysler Automobiles wrote that the company takes cybersecurity seriously but that "FCA US opposes irresponsible disclosure of explicit 'how to' information that can help criminals gain unauthorized access to vehicles and vehicle systems." He added that "to our knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle."
Chrysler actually has seen at least one recent "real-world" hack of its vehicles. Security researchers Charlie Miller and Chris Valasek demonstrated to WIRED last month they could use a different vulnerability in its vehicles' Uconnect computers to wirelessly hijack a 2014 Jeep Cherokee over the internet. Chrysler responded with a recall of 1.4 million vehicles. Patching that Uconnect flaw requires the vehicles' owners to manually install a software update via their cars' and trucks' USB ports.
Luckily, protecting vehicles from Kamkar's OwnStar attack is much easier: It only requires the carmakers to update their apps in Apple's app store. But unlike GM, none of the four other affected automakers have yet committed to doing the same.
Kamkar says that he looked at 11 different automakers with remote unlocking and remote ignition apps, and has now found that five of them were vulnerable to his OwnStar interception trick. Given that those apps lack SSL authentication, which is a basic security measure, Kamkar says his research shows that automakers' cybersecurity efforts haven't kept up with their eagerness to connect cars to the internet. "We’re really only scratching the surface of the security of these vehicles," Kamkar says. "Who knows what will be found when researchers look further."
1Updated 8/15/2015 1pm EST with an added statement from BMW.
