The OwnStar attack that hacker Samy Kamkar revealed late last month can be used against not only GM vehicles, but cars manufactured by Mercedes-Benz, BMW, and Chrysler, as well.
The attack allows Kamkar to intercept the traffic from nearby mobile phones that have specific apps open that control safety and security features on their vehicles. Kamkar built a Raspberry Pi-based device he calls OwnStar to execute the attack, which he demonstrated originally against the GM OnStar RemoteLink app. The device can intercept the traffic, send special packets to the device, gain credentials and then locate, unlock, and start the victim’s vehicle.
“After a user opens the RemoteLink mobile app on their phone near my OwnStar device, OwnStar intercepts the communications and sends specially crafted packets to the mobile device to acquire additional credentials then notifies me, the attacker, about the vehicle that I indefinitely have access to, including its location, make, and model,” Kamkar said in a video demonstrating the device.
Shortly after Kamkar disclosed the attack, which took advantage of a flaw in the RemoteLink app, GM issued a fix. But Kamkar said that he discovered the attack also works against the mobile apps used by BMW, Mercedes-Benz, and Chrysler owners. The BMW Remote, Mercedes-Benz mbrace, and Chrysler Uconnect apps all are vulnerable to the attack, Kamkar said. The main problem is that the apps fail to validate SSL certificates.
Kamkar has been taking dead aim at vehicle security in recent weeks. Last week at DEF CON, he gave a talk on the topic and disclosed details of another device he’s built called RollJam that enables him to intercept signals from car remotes and replay them later to unlock the vehicles. The device can be hidden under a car and works against vehicles that use rolling, rather than fixed, codes.
“So when you are walking towards your car, you hit the unlock button — because it’s jammed, the car can’t hear it, however my device is also listening so my device hears your signal (and removes the jamming signal because it knows what to remove). Now I have a rolling code that your car has not yet heard,” Kamkar said via email.