[UKtekkie]

Did you hear about the OnStar hack last summer?

At the DefCon hacker conference last August, Samy Kamkar presented an attack on OnStar RemoteLink that allows a hacker to track a car, unlock it, sound the horn and alarm or even start its engine. It wasn't possible to drive the car without a key though.

http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/

It sounds like the iOS App was setting up a secure SSL (HTTPS) session to the server but not checking the server's certificate to verify it was connected to the real OnStar server. This meant it was easy to make it connect to fake servers which in turn could be used to extract the OnStar login credentials for that car.

It's all fixed now, but it demonstrates how scary some of these flaws are how poor many companies are at implementing proper security (part of my job). Even Apple and Google have had similar flaws in their systems.

Anybody using OnStar on a mobile device should ensure they protect their phone and use a long, secure passcode, otherwise anybody stealing your phone could unlock your car.

 

[UKtekkie]

Having said that I'm wondering if it will still be possible to get the OnStar credentials out of my iPhone to enable me to unlock my car from my Raspberry Pi. That way I could have a switch in the house to lock/unlock the car, or use the Pi to ensure it is locked every evening if I forget to lock it.

If so, I could also set up a HomeKit node.js server on the Raspberry Pi to enable the car to be unlocked from my Apple Watch - "Hey Siri, Unlock my Astra..."

Anybody else interested?

 

[Razormatt]

would be interested in unlocking from apple watch

 

[ArcanumFox]

I've had discussions about this with staff and customers (I work for the Service Department of a Vauxhall Main Dealer in the Midlands).

It's a bit different with OnStar than other digital car systems for other brands. OnStar has been in service around the world since 1995. It's actually an old system only just being introduced to the UK & some parts of Europe (France is a big non-player).

GM was the first to appoint a Chief Product Cybersecurity Officer, Jeff Massimilla, in mid-2014. No other car company had even considered these issues until this point but GM (Opel/Vauxhall owners) have been at the front.

I'm not suggesting it's a perfect system but you can be confident that the company is making some progress and effort to maintaining secure systems.

 

[highflight]

An old system with lots of add-ons over the years. I thought it started as just voice and moved on from there. Interesting that Nissan have disabled their app for the Leaf as it could be hacked to control systems in the car.