General Motors OnStar Bug Allows Hackers to Take Over Car

Let's call this new hack Christine. In 1983, Steven King released a novel of the same name, describing a vintage Plymouth Fury possessed by supernatural, murderous powers. The movie followed soon after. Three decades later and a vulnerability in General Motors' OnStar system allowed very non-supernatural hackers to take over cars from afar, locating the vehicle, unlocking it, and starting its ignition.

Thankfully, OnStar was not connected to a vehicle's steering, brakes, or transmission, meaning hackers couldn't use the security gap to rundown teenagers a la Christine. But the vulnerability, since fixed, certainly highlights the risks of week security in high-tech automobiles.

From OnStar to OwnStar

OnStar has over seven million users in the United States and China, according to The Verge -- many of whom were at risk until the exploit was resolved last Friday. GM's OnStar service allows users to locate, unlock and start their car from a smartphone app. That's helpful when you're looking for your car in a crowded garage, don't want to struggle with keys, or are simply trying to impress your friends. But GM's OnStar app was not very secure, failing to check against false encryption certificates, allowing other devices to essentially forge credentials to access the system.

Thankfully, the hack doesn't appear to have ever been used maliciously. Hacker Sam Kamkar discovered the vulnerability and is planning on revealing the full details at the upcoming DefCon hacker conference this week.

Wired reports that, for just $100, Kamkar was able to create a small Wi-Fi hotspot device which can take over the OnStar system. Kamkar would attach the box, which he calls "OwnStar," to an OnStar-enabled car. OwnStar would then intercept communications from the driver's phone, stealing the driver's credentials. Those credentials could then be used to take over the OnStar system. Had GM installed simple authentication protections, the kind commonly found in Internet browsers, the hack wouldn't have been possible.

Hacking the Car, the Couch, the Commode

Kamkar never stole any vehicles using the OwnStar hack -- car hacking as car jacking. He only tried it on his friends GM Volt. But, that he was able to gain control over the OnStar system highlights the risks of unprotected car electronics. Had Kamkar been able to hack into a different sort of car, say a driverless vehicle, he may have been able to recreate a few scenes from Christine.

The hack serves as a good reminder that, as electronics and WiFi capability become more and more integrated into common machines, the risks of hacking everyday objects increase. The Internet of Things provides a whole new universe of potential hacks and exploits.

Steven King could create an entirely new oeuvre dedicated to killer machines -- we're already imagining a future of hijacked La-Z-Boys, homicidal thermostats, terrorist "smart toilets," and the like.

Related Resources:

• Hacking Cars, Power Plants and Rifles at Black Hat (USA Today)
• Who Will Be Responsible in Our Driverless Car Future? (FindLaw's Technologist)
• Google Invents Unspeakable, Cuddly Terror (FindLaw's Technologist)
• FTC's 'Internet of Things' Report States the Obvious (FindLaw's Technologist)