The vulnerability was demonstrated by security researcher Samy Kamkar in a YouTube video. He claims to have found a way to locate, unlock and remote-start any vehicle with RemoteLink, after intercepting the communication between the mobile app and GM’s OnStar servers.
“More technicals details to come at Defcon and in a future video,” the video notes.
Before releasing full details, Kamkar reportedly worked with GM as the automaker developed a patch to prevent attacks using the method. The company has already implemented the fix, which apparently required server-side changes rather than new software installed to the vehicle itself.
“GM product cybersecurity representatives have reviewed the potential vulnerability recently identified by Mr. Kamkar, and a fix has already been implemented to address this concern,” GM said in a statement to The Detroit News. “No additional action is required by our customers.”
The issue has surfaced a week after Fiat Chrysler Automobiles dealt with a similar situation involving its Uconnect infotainment systems. A team of researchers had developed an exploit that allowed them to remotely control a Jeep Cherokee‘s brakes and steering. The company initially handled the problem quietly, crafting a software update to protect the infotainment systems, however the fix was later elevated to a formal safety recall affecting 1.4 million vehicles.
Security researchers have become increasingly vocal in warning of the potential vulnerabilities in modern vehicles. Integrated cellular connections, Wi-Fi and Bluetooth all serve as potential avenues for attack, and security patches can be difficult to distribute across an entire fleet if owners must bring their vehicle to a dealer for a software update.
“Cyber security is a global issue facing virtually every industry today, and a lot of work continues to been done at GM in this space,” GM said. “Our customers’ safety and security is paramount and we are taking a multi-faceted approach to secure in-vehicle and connected vehicle systems, monitor and detect cyber security threats, and design vehicle systems that can be updated with enhanced security as these potential threats arise.”