Remember OwnStar? The attack that Samy Kamkar revealed late last month that allowed him to unlock nearly any GM vehicle, well now that attack extends, affecting BMW, Mercedes-Benz and Chrysler as well.
The OwnStar attack allows Kamkar to intercept traffic from nearby phones using GM’s OnStar app which allows car owners to control simple safety features such as locking and unlocking the car. Kamkar built a Raspberry Pi-based device that he dubbed Ownstar to execute the attack, which he initially demonstrated against GM vehicles via the OnStar Remotelink app. OwnStar has the ability to intercept traffic, send specially crafted packets, gain credentials, pinpoint the vehicles location, unlock and even start the victims vehicle.
“After a user opens the RemoteLink mobile app on their phone near my OwnStar device, OwnStar intercepts the communications and sends specially crafted packets to the mobile device to acquire additional credentials then notifies me, the attacker, about the vehicle that I indefinitely have access to, including its location, make, and model,” Kamkar explained in his proof-of-concept video demonstrating the device unlock a GM vehicle.
Following Kamkar’s disclosure, which abused the internet connected RemoteLink app, GM urgently issued a patch. However, less than a month after its initial reveal, Kamkar has discovered the attack works against a number of mobile apps used by BMW, Mercedes-Benz and Chrysler manufacturers. According to his research, the BMW remote, Mercedes-Benz mbrace and Chrysler Uconnect apps on Apple iOS devices are all vulnerable to OwnStar. The main issue is the apps fail to validate SSL certificates, allowing just about anyone to intervene.
I've updated OwnStar to also unlock cars from and attack BMW Remote, Mercedes-Benz mbrace, and Chrysler Uconnect. https://t.co/qRsjtLnRlM
— Samy Kamkar (@samykamkar) August 13, 2015
Kamkar is no stranger to car hacking, as he has been taking his own jabs at vehicle security in the past weeks. Just last week at the annual security conference Def Con, he disclosed details on his latest device $30 device called RollJam, which allows him to intercept vehicle signals and save them to later unlock vehicles. The device is extremely covert and can be hidden under a car that accept rolling codes.
The device works as so: Kamkar has Ownstar in place as a victim walks up to their vehicle and hits the unlock button from their keyset. By default, Ownstar will be jamming the car from accepting any signals or codes, blocking the car from working properly. As Ownstar continues to jam to car, the victim will likely click the code again, once again trying to unlock the car. This time Kamkar’s device will be listening and save the signal the keys sent while still jamming the car. Once the victim leaves, Ownstar saves the signals and can use them to open the car at a later time.
Kamkar said he has only tested his attacks on the iOS version of the apps and has since altered BMW, Mercedes and Chrysler of the severe vulnerability. Until the applications are patched, he recommends not using them, just in case attackers are close by.