Samy Kamkar is a car buff. The cyber security expert enjoys tinkering, particularly in the intersection of automation and the Internet of Things. “I love the new technology that car companies are introducing,” he says, “but I worry whether the manufacturers are actually paying attention to the security of these connected vehicles.”
That’s why, last week, he unveiled a recent four-wheel hack of a friend’s Chevy Volt, cracking the OnStar, which is owned by General Motors, through a device he built called OwnStar. And tomorrow, the ‘white hat hacker’ will unveil his latest creation, a startlingly simple device that toys with what had been considered a full-proof security system.
Today’s car thieves are armed with more than a crowbar or a slim jim. Cars are now being sold based less on their horsepower or sleek exterior and more on how quickly their WiFi works. Buick’s redesign includes a hotspot, while other vehicles are stocked with Bluetooth, OnStar, and various functions that help a consumer stay in touch while on the road.
In the past, a car thief needed to have access to a car’s on-board diagnostics port and would technically have to be inside the car. Now, though, as soon as users connect to the Internet, which happens sometimes before the seatbelt is fastened, a thief can take control.
In late July, security researchers Charlie Miller and Chris Valasek were able to completely commandeer a Jeep Cherokee through a chip within the car’s UConnect system (which provides both wireless and cellular connectivity). And the number of technologically enhanced vehicles is only growing: experts at the Intelligent Transportation Systems World Congress in Detroit last fall estimate that within the next five years, more than three-quarter of the nation’s cars will be in some way connected to the Internet.
“This is not a red herring,” says Kamkar. With OwnStar, he used just a Raspberry Pi and three radios (one to provide an Internet connection, the other two were wireless) to intercept communications between an owner’s mobile device and the OnStar servers, creating a loophole to access what had been private, encrypted data, such as billing information and email addresses.
“OwnStar potentially gives me anyone’s critical authorization details,” he says. “I could even go to a crowded area, plant the device, and when someone within wireless distance opens their OnStar app, I have access and can track their car.”
When Kamkar alerted GM to the security flaw, he says the manufacturer was responsive, but didn’t solve all the issues on the first go-around. A key vulnerability — intercepting encrypted connections where the certificate wasn’t handled properly — was still a glitch for roughly 48 hours after Kamkar’s notification. (The company eventually resolved the issue.) “This is likely a much greater problem,” he continues. “Car thieves are already becoming more advanced, and Charlie Miller’s attack, which modified how a car drove, could put people in real danger.”
During this week’s Def Con hacking convention in Las Vegas, Kamkar plans to display his latest car hacking device that essentially turns a key fob into a micro-controller with several radios that he has named RollJam. When a car owner presses on his fob to lock or unlock a car door, a signal, known as a rolling code, will transmit to the car. No codes are ever repeated, and once the alternating signal — like, locking an unlocked door — has been released, all previous codes are invalidated, which is intended to be a fool-proof safeguard.
RollJam, though, hacks the process: hidden near a car or in a garage, RollJam ‘jams’ a signal with a radio, blasting noise on a common frequency used by automobiles, while another radio captures the rolling code. A user will press the fob again, thinking the device hasn’t performed the intended function, and RollJam simultaneously captures the second code while releasing the first one — the car is now locked, but RollJam has the second code needed to unlock the vehicle.
According to Kamkar, whose device can potentially work on an estimated million or so cars, “I can replay the first signal, and then I have the secondary signal to use later on.” Wired reached out to several manufacturers with questions about the vulnerability, and only Chrysler responded, claiming its newer lines have patches capable of dealing with a possible RollJam hack.
Kamkar is quick to note he’s not going to embark on a Fast and the Furious-type spree of hacking, hijacking, and hoarding vehicles for his own gains. “I don’t think security teams do enough internal research into these cars and how they fit within the Internet of Things,” he says. Manufacturers are oriented to build new products quickly and reach consumers that crucial 21st century security protocols are being overlooked, he says. “Manufacturers won’t solve an issue until someone demonstrates it.”