Ever since two hackers, Charlie Miller and Chris Valasek, remotely hacked a Jeep Cherokee through its UConnect infotainment system, it seems as if we can’t go a week without hearing of another instance where cars can be hacked remotely. First it was the Jeep, then it was a Corvette, now it’s BMW, Mercedes-Benz and Chrysler.
Security Researcher Samy Kamkar recently revealed a bug that can allow him to connect with the OnStar system of any General Motors vehicle. Using a $100 homemade device, Kamkar is able to mount it underneath any car and, using a fault in the security code for the OnStar RemoteLink app, gain all access to the driver’s OnStar information once the driver uses it. One he has access to the user’s info on the app, he can login as that user and access as many features to the car as the app grants. GM has since released an update through the app store which now prevents this sort of hacking. However, a few other car companies are still susceptible to such an attack.
The researcher claims that BMW’s and Mercedes-Benz’s apps might be capable of being hacked, due to the lack of security built in. While Kamkar hasn’t actually tested this on any BMW or Mercedes vehicles, he has gotten information from users already. He says he waiting to release the code so that the automakers have a chance to fix the security issues. While BMW didn’t comment, a spokesperson from Mercedes did, telling Wired “we don’t want to engage in speculation about potential hacks (often the result of extreme manipulation) that have very little likelihood of occurring in the real world and create unnecessary concern.”
I’m sure both BMW and Mercedes-Benz are working on fixes for their apps so that user’s information is secure, but aren’t going to engage Kamkar. However, it is frightening that such a simple tool can be used to get the information of any user with any kind of remote app for their car. What’s even more frightening is that this is just the beginning. According to Kamkar, “We’re really only scratching the surface of the security of these vehicles,” to which he continued “Who knows what will be found when researchers look further.”
With all of the increased connectivity lately, it’s fair to say that security is getting thinner than thinner. There’s so much that smartphones and apps can do to a car remotely now that there are so many breaking-in points. I guess that’s the price we must pay for the increased convenience. But is it really worth it?