Remember OwnStar? Earlier this month, security researcher and NSA Playset contributor Samy Kamkar demonstrated a Wi-Fi based attack that allowed his device to intercept OnStar credentials from the RemoteLink mobile application—giving an attacker the ability to clone them and use them to track, unlock, and even remote start the vehicle. Kamkar discussed the details of the attack last Friday at DEF CON in Las Vegas, noting that the RemoteLink app on iOS devices had failed to properly check the certificate for a secure connection to OnStar’s server, or—as is more common in mobile apps using HTTPS to access Web services—use a “pinned” certificate hard-coded into the application itself. OnStar quickly resolved the issue with a RemoteLink app update.
But OwnStar has moved on to other targets. Today, Kamkar announced that he had adapted the tool to target applications for BMW Remote, Mercedes-Benz mbrace, and Chrysler’s Uconnect services on Apple iOS devices. All three, he said in an exchange with Ars via Twitter, have the exact same vulnerability as the RemoteLink app did: “no pinned cert or even PKI/[certificate authority] validation. Trivial to attack an unadulterated mobile device.”
The OwnStar device packs all the components required to execute this attack into a portable case that can be placed near a targeted vehicle. Like a virtual bear trap, it can capture the login credentials of a car owner using a mobile app to remotely unlock, lock, or start the vehicle, which can then be loaded onto a copy of the targeted mobile app on the attacker’s own device—giving the attacker the ability to execute all of the functions of the telematics system on the targeted vehicle. And it’s all because of a flaw that is all too common to mobile applications—reliance on a remote server’s certificate being valid, regardless of what network the connection is over.
Read 3 remaining paragraphs | Comments