Pierluigi Paganini August 22, 2015

A security researcher revealed that BMW was aware of the mobile app vulnerability that allows hackers to run the Ownstar attack.

At the recent DEF CON conference the popular security researcher Samy Kamkar presented Ownstar, a $100 gadget that allows to hacks GM Cars. The Ownstar tool allows to locate, unlock, and start a car who used the company’s OnStar RemoteLink iOS app.

The hack is possible because the iOS application fails to validate SSL certificates, allowing attackers to run man-in-the-middle (MitM) attacks.

Ownstar is a hacking kit, similar to a computer board, with some antennas, and some controller circuit boards, it allows intercepting communication and discover the location of the car and the model.

“If I can intercept that communication, I can take full control and behave as the user indefinitely,” says Kamkar. “From then on I can geolocate your car, go up to it and unlock it, and use all the functionalities that the RemoteLink software offers.” “I suggest not opening the RemoteLink app up until an update has been provided from OnStar,” he added.

When the car’s owner leaves the perimeter, the attacker can use the intercepted info to disguise as the Onstar app, and unlock the car, start the engine like he was the legitimate owner.

The catch is, even if you are inside the car, and with the engine on, you can’t drive the car because it requires the key.

GM updated its iOS app to fix the vulnerability exploited by Kamkar, but at the same time the expert discovered that the OwnStar attack also works against other iOS applications offered by other automakers including Mercedes (mbrace), BMW (My BMW Remote) and Chrysler (Uconnect).

Here start the interesting part of the story, Kamkar reported the vulnerability to the automakers, but it seems that BMW was already aware of the flaw  for months before the researcher presented it to the press.

According to Han Sahin, co-founder Securify firm, he reported the vulnerability to the BMW on April 22. The BMW CISO confirmed receiving the bug report the next day, but Ownstar attack still works on My BMW Remote app for iOS.

“Securify has reported identical issues in the past to various organizations; ranging from small organizations to enterprises. Most organizations take these issues seriously and update their apps in a timely fashion. In our opinion, three months should be enough to resolve issues like this,” Sahin told SecurityWeek.

“At the time of writing the BMW iOS app is still vulnerable to man in the middle attacks. We’ve informed BMW more than 120 days ago. We have yet to receive a formal response from BMW,” the expert added. “We think BMW has had enough time to resolve this issue. Had they done so, they would not have been affected by the OwnStar attack.”

BMW sent to Wired an official comment on August 15, refusing the possibility an attacker can run MITM attack

“BMW confirmed that its apps “conform to the same industry standards as other apps that use SSL-encrypted communication with a backend, such as online banking apps.” The company also noted that “a man-in-the-middle attack on client-server communication can never be completely ruled out, but is virtually impossible to carry out and the probability of such a specific attack in everyday life is highly unlikely.”

Pierluigi Paganini

(Security Affairs – Kamkar, OwnStar attack)