Remember OwnStar? Earlier this month, security researcher and NSA Playset contributor Samy Kamkar demonstrated a Wi-Fi based attack that allowed his device to intercept OnStar credentials from the RemoteLink mobile application—giving an attacker the ability to clone them and use them to track, unlock, and even remote start the vehicle. Kamkar discussed the details of the attack last Friday at DEF CON in Las Vegas, noting that the RemoteLink app on iOS devices had failed to properly check the certificate for a secure connection to OnStar's server, or—as is more common in mobile apps using HTTPS to access Web services—use a "pinned" certificate hard-coded into the application itself. OnStar quickly resolved the issue with a RemoteLink app update.
But OwnStar has moved on to other targets. Today, Kamkar announced that he had adapted the tool to target applications for BMW Remote, Mercedes-Benz mbrace, and Chrysler's Uconnect services on Apple iOS devices. All three, he said in an exchange with Ars via Twitter, have the exact same vulnerability as the RemoteLink app did: "no pinned cert or even PKI/[certificate authority] validation. Trivial to attack an unadulterated mobile device."
The type of man-in-the-middle attack Kamkar staged is a common exploit against mobile applications. Using an open source tool such as SSLStrip and a malicious Wi-Fi access point, an attacker can get a mobile device configured to connect to known Wi-Fi hotspots to pair with it. By default, for example, iOS devices on AT&T's mobile network will pair with hotspots with the SSID, "attwifi." The attacker can then act as a proxy for secure connections, offering a forged certificate for the remote server and then decrypting data sent up from the app. The OwnStar device Kamkar built packs all the components required to execute this attack into a portable case that can be placed near a targeted vehicle.