GM’s OnStar follows Chrysler’s UConnect as a proven hackable telematics service. In GM’s case, the hack involved creating a spoof of the OnStar RemoteLink smartphone app and issuing commands to the car such as remotely unlocking the doors. None involved hacks to the steering or braking functions of a car that was under way. General Motors quickly issued a fix to its OnStar servers, declared the problem solved, then learned iOS devices were still vulnerable.

GM patched the OnStar app at the end of last week and said users would need to download a new version via the Apple App Store. The RemoteLink app allows the user to remotely lock and unlock his or her car, start the engine, blow the horn, and show its location.

Vulnerability published, fixed in days

Security researcher Sammy Kamkar last week showed how he created a $100 device that passed itself off as a safe WiFi hotspot. If the owner launches his or her RemoteLink app within range of Kamkar’s box — called “OwnStar” and containing a Raspberry Pi computer and three small radios — the phone may connect with OwnStar and fork over the user’s credentials. According to Wired, which worked with Kamkar, RemoteLink uses SSL encryption (good) but didn’t verify it was talking with a genuine OnStar server (bad).

Kamkar said he spoke with GM last Wednesday (July 29) and within a day Wired published the story, GM issued an initial patch, Kamkar said he’s a good guy trying to point out connected car / internet of things vulnerabilities, and GM issued a “we take our customers’ security seriously” statement. It also said the problem was solved by patching the server. Kamkar said GM fixed the Android phone problem with a patch to the server software but not iOS, GM agreed, and updated the RemoteLink app for Apple devices. GM halted access to iOS RemoteLink, requiring users to download a new version to keep using it.

What you could lose to a RemoteLink hack

RemoteLink is mostly a convenience app for drivers who can’t remember if they locked the car when they went inside the mall. There are several safeguards already in place. RemoteLink services include several that are on the owner’s keyfob, but now it works from anywhere, not just within 50-100 yards. RemoteLink access includes:

• Remote lock, remote unlock. Especially useful if you locked your keys inside the car and also useful if your car is in the Relay Rides peer-to-peer car sharing program. The owner locks the keys inside the car and the renter, using a separate Relay Rides app (wonder if Kamkar has checked that out?) locates then unlocks the car.
• Remote start, cancel start. The car starts remotely and warms or cools itself to the pre-set temperature controls. The car can’t be driven away without the keyfob present. Nor can the can idle unattended for more than 10 minutes to avoid wasting energy.
• Locate the car. See the car on a map, zoom in to see its exactly location.
• Honk horn, flash lights.
• EV, hybrid charging. See the status of charge, set a time to start charging or set a time when charging must be complete. Also pre-warm or pre-cool the car using household electricity rather than the batteries or engine.
• OnStar user account information including car type and name, owner information, and partial credit card information (last four digits, expiration date).

What you could lose to a RemoteLink hack

Based on the RemoteLink flaws, the worst that could happen would be a thief could empty your car of its valuables. Although somebody smart enough to remotely unlock your car is probably able to go after bigger targets than a laptop bag and the old McDonald’s bags on the back seat floor.

Kamkar will detail the OwnStar hack this week at the DefCon conference in Las Vegas. Hopefully his exploits will get the auto industry thinking about what it needs to do. Owners like the convenience of remote control of safety aspects of the car, for instance double-checking that you locked the car when you checked in to your hotel and left the car in a parking lot beyond the range of your keyfob lock button. Owners of EVs want to know if their Volt or Prius is fully charged and also if they actually plugged in the car when they rushed in to the house.

More sophisticated owners’ remote apps can find parking spots and negotiate prices. They can tell you the expiration date of the lease. Automakers can send notice of recalls and blast out discount coupons.

What’s clear from the Chrysler hack (that led to 1.4 million recalls) and now the GM RemoteLink hack is that automakers must give more serious thought to remote-connection security. It sounds as if GM’s security problem was not thinking through some of the obvious ways the car could be exploited. The same people who’d never knowingly connect their tablet in a downtown coffee shop to an access point called Free_WiFi didn’t think about that when it came to the cars they’re responsible for building.

This was a relatively easy fix, at least on the Android side, and a minor hassle on the Apple side. It also suggests automakers need to evolve to over-the-air software and security updates — once they’re comfortable the OTA link is secure. When Ford had problems with Ford Sync, the Sync patch possibilities were a) mail the owner a USB key with the fix or b) have the customer spend an enjoyable 90 minutes at the dealership. In comparison, Tesla sends its updates over-the-air. Tesla is helped by the mindset of its tech-savvy buyers, who expect OTA updates. Other owners of other brands may still fear technology. The Chrysler, GM, and who’s-next hacks won’t reassure them.