Cyber Security Expert Hacks into GM’s OnStar System

A friendly "white-hat" hacker says he can identify, locate, unlock and remotely start vehicles equipped with General Motors Co.'s OnStar telematics service.

Samy Kamkar uses his Applied Hacking YouTube video channel to describe how the "OwnStar" device he built can break into the OnStar system. He says the device exploits a vulnerability with the OnStar RemoteLink mobile app, not the vehicle itself.

Kamkar advises owners to prevent such a hack by not opening or using the RemoteLink app until a security patch becomes available. Some OnStar users say hacking the car to start the engine still would not allow the hacker to drive the car away without a valid ignition key.

Kamkar's OwnStar device intercepts communications between the mobile app and OnStar's computers. It can then pose as the vehicle owner's smartphone, issuing its own unlock and engine-start commands. Once the device breaks in, Kamkar says, it can continue indefinitely to identify the make, model and location of the vehicle.

GM tells Reuters it has already implemented a fix. Kamkar describes GM as "receptive" to closing the security breach. But Reuters says he doesn't believe GM has yet fixed the app's bug that enables his device to break in.

Kamkar plans to reveal more details about the hack at next week's Def Con hacking conference in Las Vegas. Two other hackers who revealed their ability to take remote control of a Jeep Cherokee SUV plan to discuss their exploits at the same meeting.