Sign in to follow this  
Followers 0
mungewell

OnStar vunerable to attack?

4 posts in this topic

'GM's OnStar system could soon halt stolen cars' - http://www.ctv.ca/servlet/ArticleNews/stor...009?hub=SciTech

This article got me thinking about how tightly integrated OnStar (and presumable other systems) are becoming with the on-board computers in modern cars, and how susceptible they are to hack/attack.

One of my work colleagues says that they already have the ability to read things like tyre pressure sensors, ODB-II codes etc, so they are hooked right in there at present; even to the point of sending you a monthly email with a current status. Connecting into the engine management with remote control control the of the engine it's self is I guess the next step.

Questions:

Does the inbuilt cellphone answer all incoming calls?

What level of authentication do they have once connected?

Assuming GSM, how easy is it to snoop on the GSM call whilst in process?

How long before we start hearing that the vocal opponents of GM start gettting involved in mysterious car crashes? (OK that's just conspirency talk ;-)

Munge.

0

Share this post


Link to post
Share on other sites

OK answering my own posts again.... at least I'm not arguing with myself.

OnStar's own page gives quite a lot away.

https://www.myonstar.com/ovm_register.os

I believe that the OnStar system uses CDMA technology in the back end, but what comms method do they use for transmitting data to/from the unit. If they can send data whilst the 'talk' part is active then they must either use SMS or a IP data path, it is highly unlikely that the cell phone is dual channel or can cope with inband signalling.

My bet is SMS, in which case how secure can this be.... an example capture would be highly informative. So when they unlock the doors, how wrapped in crypto is the command?

Munge.

PS. Blondstar link - http://www.youtube.com/watch?v=B3UGhRjPry4...ted&search=

0

Share this post


Link to post
Share on other sites
it is highly unlikely that the cell phone is dual channel or can cope with inband signalling

Wrong again.... It appears that the data path is 'inband audio' and we all know what a bad idea that can be ;-)

System is aqLink from Airbiquity, it uses carefully crafted audio tones to achieve data rates of 100 bit/sec.

'Glossy' information - http://www.airbiquity.com/index1.html

'Real' information - http://www.google.com/patents?id=DYsLAAAAE...p;dq=Airbiquity

Haven't found info on what protocol OnStar uses over the link, I won't take a random guess as I'm bound to be wrong.

So my thinking is that they give everyone aqLink capable hardware (in the form of OnStar hardware), presumably a hacked unit could be made to call another unit and 'talk' over the data channel.

Since the digital data stream is mixed in the analogue domain, is it actually audible on the call? If so, can it be recorded?

Munge

0

Share this post


Link to post
Share on other sites

This is an interesting topic, something that's not very often discussed... probably because the truth may scare people?

In any sense, I can see you're just curious.. but producing an exploit capable of unlocking peoples car doors is a "Bad Idea" .

Good luck though.. be sure you inform OnStar several months before you publish anything.. ;)

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0