Joined
·
360 Posts
Did you hear about the OnStar hack last summer?
At the DefCon hacker conference last August, Samy Kamkar presented an attack on OnStar RemoteLink that allows a hacker to track a car, unlock it, sound the horn and alarm or even start its engine. It wasn't possible to drive the car without a key though.
http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/
It sounds like the iOS App was setting up a secure SSL (HTTPS) session to the server but not checking the server's certificate to verify it was connected to the real OnStar server. This meant it was easy to make it connect to fake servers which in turn could be used to extract the OnStar login credentials for that car.
It's all fixed now, but it demonstrates how scary some of these flaws are how poor many companies are at implementing proper security (part of my job). Even Apple and Google have had similar flaws in their systems.
Anybody using OnStar on a mobile device should ensure they protect their phone and use a long, secure passcode, otherwise anybody stealing your phone could unlock your car.
At the DefCon hacker conference last August, Samy Kamkar presented an attack on OnStar RemoteLink that allows a hacker to track a car, unlock it, sound the horn and alarm or even start its engine. It wasn't possible to drive the car without a key though.
http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/
It sounds like the iOS App was setting up a secure SSL (HTTPS) session to the server but not checking the server's certificate to verify it was connected to the real OnStar server. This meant it was easy to make it connect to fake servers which in turn could be used to extract the OnStar login credentials for that car.
It's all fixed now, but it demonstrates how scary some of these flaws are how poor many companies are at implementing proper security (part of my job). Even Apple and Google have had similar flaws in their systems.
Anybody using OnStar on a mobile device should ensure they protect their phone and use a long, secure passcode, otherwise anybody stealing your phone could unlock your car.