On Friday afternoon, GM OnStar announced a software update to its RemoteLink app for iPhone to patch a security vulnerability that could have been used from across the internet to track GM vehicles, unlock their doors, start their ignitions, and even access the car owner’s email and address. Responding to WIRED’s story Thursday about the vulnerability revealed by security researcher Samy Kamkar, GM had said it fixed the flaw through a change to its server software. But after Kamkar pointed out that the attack wasn’t blocked in his subsequent tests, the company has now also created a patch for its iOS app and says iPhone and iPad users should follow up by updating their RemoteLink app to fully protect their vehicles.
“Based on our initial conversations with Samy, we made changes that did not require user interaction. In our continued testing and conversations with him yesterday, we confirmed that [fix sufficed] for Android, Windows and Blackberry users but not for Apple iOS users,” wrote GM spokesperson Renee Rashid-Merem in a statement to WIRED. “GM takes matters that affect our customers’ safety and security very seriously… An update is now available via Apple’s App Store. Impacted customers will receive a communication from OnStar today and the previous version of the app will be decommissioned following that communication to ensure customer security.”
Kamkar had proven the existence of that OnStar vulnerability with a proof-of-concept device he plans to detail at the hacker conference DefCon next week. The book-sized gadget he developed, which he calls “OwnStar” in a reference to the hacker term to “own” or gain control of a target computer, is designed to be hidden under the chassis or bumper of a GM vehicle the attacker is targeting. When the car’s owner uses the OnStar RemoteLink app within Wi-fi range of the car, OwnStar exploited an authentication flaw in the app to intercept the user’s credentials and send them wirelessly to the hacker. And with those credentials in hand, a hacker could do anything to the vehicle that the RemoteLink app allows, including tracking it, unlocking doors, honking the horn, starting the ignition and accessing all the personal information in the user’s OnStar account. “If I can intercept that communication, I can take full control and behave as the user indefinitely,” Kamkar told WIRED earlier this week.