Samy Kamkar, the white hat hacker who discovered a security hole in GM’s OnStar app a couple of weeks ago that he could use to remotely track, unlock and start practically any car using the system, has found the same issue in apps from four other brands, Wired reports.
Kamkar developed a $100 device he calls OwnStar that wirelessly intercepts a car owner’s digital credentials when they use an app tied to the vehicle’s telematics system, allowing him to log on and control whatever remote functions are available via the app. OnStar fixed the issue after learning about it, but Kamkar now says other makes are at risk.
According to Wired, Kamkar tested the device on apps from 11 other brands and found the same vulnerability in BMW’s ConnectedDrive, Mercedes-Benz’s MBrace, Fiat Chrysler’s UConnect, and Viper Smart Start, an aftermarket product that can be installed in a variety of new and old models.
While Kamkar demonstrated the OnStar hack on his own Chevy Volt, he hasn’t actually executed an attack on cars equipped with any of the other systems, because he doesn’t have permission, but says he did intercept the codes that would let him do so.
A Mercedes-Benz spokesman tells Fox News that the company’s “technical experts plan to coordinate with Mr. Kamkar to learn more,” and that the automaker is constantly evolving the security of its systems. Just last week it sent out an unspecified security update for MBrace, a few days after the OnStar hack was revealed.
BMW and Fiat Chrysler have already had their own security problems this year. In January, BMW discovered a flaw in its ConnectedDrive system that it updated before anyone outside the company was able to exploit it, while a team of independent security experts in July hacked the UConnect system in a Jeep Cherokee and were able to run it off the road over the internet, which led to a recall of over 1.4 million vehicles. Neither company has yet to respond to request for comment on Kamkar’s claims from Fox News.