The iOS apps used by four leading car manufacturers include a cybersecurity flaw that enables a hacker to remotely start ignitions, unlock vehicles over the Internet and sometimes track their location, according to a new report. It's the same vulnerability that compromised General Motors' (now fixed) OnStar RemoteLink app and just the latest to highlight security inadequacies in the auto industry.
BMW's Remote app, Mercedes-Benz's mbrace, Chrysler Uconnect and the alarm system included in Viper's Smartstart can all be exploited with a $100 homemade device called OwnStar, created by hacker Samy Kamkar. Kamkar, who used the same device to infiltrate GM's OnStar, told Wired magazine Thursday that his device can be planted somewhere in a car's body and then trick the owner's phone into connecting with it.
From there, the OwnStar intercepts the user's credentials and takes control of his connection, giving Kamkar (or someone with malicious intentions) access to the same perks OnStar owners enjoy. “If you're using any of those four apps, I can automatically get all of your log-in information and then indefinitely authenticate as you,” he told Wired. “These apps give me different levels of control of your car. But they all give me some amount of control.”
This hack is the latest in a cascade of discoveries underlining frightening weaknesses in the Internet of Things world. First researchers found flaws in Jeep software that allowed them to slow a moving vehicle to a halt on the highway; then weaknesses in the Tesla Model S convinced the company to issue an immediate over-the-air update.
Now, Kamkar is recommending that each automaker update its apps in the Apple App Store before it's too late. “We’re really only scratching the surface of the security of these vehicles,” he told Wired.