Development project My BMW Remote App for Android (10/2011)
It’s becoming clearer that most any car is hackable. Reports before, during, and after DefCon showed that. Here’s the most recent hack news: The ubiquitous Samy Kamkar showed how his OwnStar device was adapted to get into the car via their remote iOS apps. He targeted BMW Remote, Mercedes-Benz mbrace, and Chrysler Uconnect services, all on Apple iOS.
The flaw, according to Kamkar, is the automaker’s almost childlike faith that the certificate on the remote server is valid, disregarding what kind of network provides the connection and whether it’s a legitimate remote server or one that just says it is.

How it works

OwnStar is a small Raspberry Pi PC with wireless connections in a portable carry case. The hacker puts it near the vulnerable car. When the owner issues a remote unlock or other command from an iPhone or other iOS device such as remote start, OwnStar gloms onto the exchange and grabs the logon credentials. OwnStar then mimics the owner’s remote device to access the car and has access to all the remote functions.
OwnStar uses the phone’s preference for WiFi networks to its advantage. On the AT&T mobile network, if an iOS device sees the SSID “attwifi” being broadcast by OwnStar, it attempts to pair with the OwnStar device, which happily complies as a passthrough, all the while capturing and remembering the data stream. The hacker could get into the car and start or shut down the engine, but not actually drive away.

Should be patchable

Kamkar says he’s alerted the current crop of vulnerable automakers — BMW, Mercedes, Chrysler — of the need to pitch their wireless systems. For now, in cases there are hackers in the mall parking lot, don’t use wireless access. No problem using your remote key fob; that’s safe. Probably.

Who hasn’t been hacked yet?

At the start of August, Kamkar showed how GM cars with OnStar — virtually every GM vehicle — were vulnerable. Before that, it was Chrysler again. GM was able to issue a patch to its OnStar RemoteLink in a day, and disabled the vulnerable older versions until the user updated.
In reader comment posts to many of the stories floating about this month, people who say they’ve been engineers or QA testers were often doing their work in the labs or shops with mock dashboards rather than out on the highway. In the lab, it was assumed there were no vulnerabilities (true for the lab), and they felt comfortable using commonplace passwords such as “testpass” and/or accepting any logon attempt that seemed valid. If a WiFi device SSID read “attwifi,” it was valid, they let their guard down, and didn’t protect against the dangers to the cars in real-life situations. And until Kamkar came along, the minimal defenses were enough. Not any more.