A researcher says BMW was informed of the mobile app vulnerability that allows hackers to locate and unlock cars months before the attack method was disclosed.
At the recent DEF CON conference in Las Vegas, security researcher Samy Kamkar showcased a $100 gadget that allowed him to intercept the login credentials of General Motors car owners who used the company’s OnStar RemoteLink iOS app.
GM’s OnStar service allows users to locate, unlock and even start their car from a smartphone app. However, Kamkar discovered that the iOS application fails to validate SSL certificates, exposing users to man-in-the-middle (MitM) attacks.
Kamkar’s gadget, dubbed Own Star, is designed to impersonate a familiar Wi-Fi hotspot in order to trick the potential victim’s phone into connecting to it — AT&T phones for example will automatically connect to networks named “attwifi.” Once the target’s phone has connected to OwnStar, the device can leverage the SSL vulnerability to capture the target’s OnStar credentials when they use the RemoteLink app.
Once they obtain the credentials, hackers can log into the victim’s account and perform various actions, including locating the car, unlocking it, and starting the engine. An attacker would still need a key to drive off, but Kamkar believes this is still a serious issue.
GM updated its iOS app to address the vulnerability, but Kamkar discovered that the iOS applications offered by Mercedes (mbrace), BMW (My BMW Remote) and Chrysler (Uconnect) were affected by the same type of SSL issue.
Kamkar reported his findings to the car manufacturers, but BMW appears to have known about the vulnerability for months before the researcher disclosed his findings.
Han Sahin, co-founder of Netherlands-based security firm Securify, said he reported the MitM SSL vulnerability to the BMW Group on April 22. The car maker’s CISO confirmed receiving the bug report the next day, but the My BMW Remote app for iOS is still vulnerable.