Weakness exposed in OnStar app

A researcher is advising drivers not to use a mobile app for General Motors OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to unlock cars and start engines remotely.

Hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to ‘locate, unlock and remote-start’ vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service.

The hacker said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities.

The video was released a week after Fiat Chrysler Automobiles recalled some 1.4 million vehicles after hacking experts demonstrated a more serious vulnerability in the Jeep Cherokee. That bug allowed them to gain remote control of a Jeep traveling at 70 miles per hour on a public highway.

GM spokesman Terrence Rhadigan told Reuters via email that the company was preparing an update to the RemoteLink app that would address the vulnerability. ‘It’s days away,’ he said.

When asked if it was safe to use the app before an update is released, Terrence said, ‘We believe the chances of replicating this demonstration in the real world are unlikely. In addition, the action involves one user at a time, and would impact only that specific user’s account.’

The issue drew the attention of U.S. safety regulators from the National Highway Traffic Safety Administration.

According to OnStar’s website, more than three million people have downloaded the OnStar RemoteLink mobile app for Apple iOS and Google Inc devices.