DETROIT — General Motors late Thursday told Edmunds it is still working to come up with a repair to its OnStar RemoteLink system after a so-called "white-hat" hacker said he was able to remotely tamper with vehicles, unlocking doors and starting engines.
"GM takes matters that affect our customers' safety and security very seriously," wrote OnStar spokesman Stuart Fowle in response to a query. "GM product cybersecurity representatives have reviewed the potential vulnerability recently identified. In working with the researcher, we moved quickly to secure our back-office system and reduce risk.
"However, further action is necessary on the RemoteLink app itself. We take all cyber matters seriously and an enhanced RemoteLink app will also be made available in app stores soon to fully mitigate the risk."
Initially, GM said it had resolved the problem.
RemoteLink is a smartphone app that lets OnStar users remotely start their cars and lock and unlock doors, among other things. It can also help an owner locate a vehicle and get vehicle diagnostic data. It has more than a million active users, according to the GM Web site.
"Cybersecurity is a global issue facing virtually every industry today, and a lot of work continues to be done at GM in this space," Fowle said early Thursday after the initial fix attempt was made. "Our customers' safety and security is paramount and we are taking a multi-faceted approach to secure in-vehicle and connected vehicle systems, monitor and detect cybersecurity threats, and design vehicle systems that can be updated with enhanced security as these potential threats arise."
Samy Kamkar, a security researcher who exposed the OnStar vulnerability in the YouTube video, said he was able to "locate, unlock and remote-start" vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service.
To illustrate the problem, he hacked into the mobile app using something called "OwnStar," a $100 device. Kamkar stood next to a Chevrolet Volt in the video.
Kamkar advised owners to not open the RemoteLink app until GM comes up with a solution. It is unclear at this point whether GM will disable the app function until a solution can be implemented.
After GM said it had fixed the problem, Kamkar tweeted that he was still able to control functions in the app.
The Detroit automaker said RemoteLink is "one of the more popular OnStar service offerings.
Edmunds says: Another example of the urgent need to make in-vehicle systems more secure from hackers.