GM Fixes OnStar RemoteLink App's Vulnerability to Hacking | Edmunds

GM Fixes OnStar RemoteLink App's Vulnerability to Hacking

DETROIT General Motors told Edmunds on Saturday it has issued a new OnStar RemoteLink app following a widely publicized threat by a security researcher who said he took over some functions of a Chevrolet Volt.

"At this point, the old version of the Apple iOS app has been turned off," wrote Stuart Fowle, an OnStar spokesman, in response to a query.

The app is for iPhone and iPad users.

"GM product cybersecurity representatives reviewed a vulnerability identified by an independent researcher this week and moved quickly to secure our back-office system and reduce risk," GM's OnStar division said in a statement. "That step required no customer action.

"Continued testing identified further action necessary on the Apple iOS version of RemoteLink app itself. That step has now been taken and an update is now available via Apple's App Store. Impacted customers will receive a communication from OnStar and the previous version of the app will be decommissioned following that communication to ensure customer security."

OnStar customers should follow directions from OnStar and download the updated app on the RemoteLink Web page or from a link on the iPhone that directs them to the App Store. They can also contact OnStar at 1-888-466-7827 for more information.

No additional action is required for Android, Windows Phone and Blackberry users, according to the Detroit automaker. They do not need to download a security update.

The RemoteLink app lets OnStar users remotely start their cars, honk the horn, turn on lights or lock and unlock doors.

Vehicle diagnostic data such as tire pressure and oil pressure is also available on the app, along with a vehicle-locator function.

Security researcher Samy Kamkar, who exposed the vulnerability of the app in a YouTube video, tweeted that the fix is a "great turnaround."

Kamkar said he was able to "locate, unlock and remote-start" vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service.

To illustrate the problem, he hacked into the mobile app using something called "OwnStar," a $100 device.

The latest hacking incident follows the first cybersecurity recall in the United States, following a Wired magazine report that hackers wirelessly took control of a 2014 Jeep Cherokee.

Fiat-Chrysler is recalling 1.4 million U.S. vehicles, including the 2014-'15 Jeep Grand Cherokee and Jeep Cherokee SUVs, over fears about remote hacking.

Edmunds says: GM quickly worked to fix a hacking vulnerability in its OnStar RemoteLink app, but concerns about car hacking continue to rise.

Leave a Comment