White hat hacker Samy Kamkar created OwnStar, a hacking device that can infiltrate any vehicle by General Motors that utilizes the OnStar system.
The 29-year-old software developer needed only a few days and a total of $100 to create the hacking tool, full details of which Kamkar will reveal at the DefCon hacking conference next week in Las Vegas.
OnStar is a system found in many models of vehicles by GM that allows owners access to features such as remotely unlocking and starting their vehicles through an app or a mobile phone service.
Kamkar, who told Tech Insider in an interview that it was not difficult to figure out a way to attack OnStar, said that he bought a GM vehicle for his mother earlier this year. He then started to tinker with the car to look for vulnerabilities, and it took him only a few days before he was able to discover a flaw and then develop a tool to exploit the vulnerability.
OwnStar is made up of only a few important components, including a Raspberry Pi computer worth $40 and a trio of radios. The tool can be attached to a target GM vehicle, and once the owner opens the OnStar app within Wi-Fi range of the car, OwnStar will relay critical pieces of information to the hacker.
Kamkar explains that OwnStar intercepts all the information needed for him to log into the targeted car and sends it to him wirelessly. Afterwards, Kamkar will be able to pinpoint the location of the car at any time and then use the same tool to unlock the vehicle.
GM said to Tech Insider that it has already fixed the issue with the OnStar system, working with Kamkar to secure the system and eliminate the risk. However, Kamkar said that he is still able to use OwnStar successfully after the update, which would necessitate further action from GM to patch up the OnStar system.
Kamkar believes that as more connected cars are being rolled out, malicious hackers will find ways to take over vehicles made by companies that are not doing enough to improve the security of their cars. Kamkar believes that some car companies are not focusing on security for connected cars because it is new territory, as previously, people with ill intents had to have physical access to the vehicle. With flaws in the on-board connected systems of vehicles, this will no longer be needed.