OnStar: Services and Security Concerns

OnStar, the connected car service from General Motors, has long been a symbol of automotive innovation, promising drivers enhanced safety, connectivity, and convenience. From its inception, OnStar aimed to provide a lifeline to motorists, offering a suite of services designed to assist in emergencies, deter theft, and simplify daily driving. However, like any complex technological system, OnStar is not immune to the evolving landscape of cybersecurity threats. Recent revelations by a security researcher have brought to light potential vulnerabilities within the system, raising questions about the security of connected vehicles.

What is OnStar and What Services Does It Offer?

OnStar is a subscription-based telematics system that integrates a vehicle's communication and computer systems with a dedicated network and human advisors. It's found in many modern General Motors (GM) vehicles and is designed to keep drivers and their vehicles connected. The core promise of OnStar revolves around three key pillars: safety, security, and connectivity.

Core OnStar Services: A Breakdown

OnStar offers a tiered approach to its services, with different plans catering to various needs and budgets. Here's a look at the typical offerings:

1. Basic Plan

Often included with eligible GM vehicles for a significant period (e.g., 5 years), the Basic Plan provides foundational services:

• Remote Access: Allows users to remotely lock/unlock doors, start/stop the engine, and honk the horn or flash lights via a smartphone app. This is a key feature for convenience and locating your vehicle in a crowded car park.
• Vehicle Diagnostics: Provides regular updates on key vehicle health indicators, alerting drivers to potential issues before they become major problems.
• Dealer Maintenance Notification: Automatically informs your preferred dealer when your vehicle is due for scheduled maintenance, simplifying the service process.

2. Protection Plan

Building upon the Basic Plan, the Protection Plan (typically around $24.99/month or $249.90/year) enhances safety and security:

• Automatic Crash Response: In the event of a detected crash, OnStar automatically connects with an emergency advisor who can assess the situation and dispatch emergency services if necessary, even if the occupants are unable to call for help.
• Emergency Services: Provides 24/7 access to OnStar advisors for various emergency situations, not just crashes.
• Stolen Vehicle Assistance: Works with law enforcement to help locate and recover stolen vehicles, potentially disabling the ignition remotely.
• Roadside Assistance: Offers support for common roadside issues like flat tyres, dead batteries, or running out of fuel.

3. Security Plan

Priced similarly to the Protection Plan (around $34.99/month or $349.90/year), this plan focuses on theft deterrence and control:

• Advanced Theft-Deterrent System: Features that help prevent unauthorised vehicle access and operation.
• Remote Ignition Block: The ability to remotely disable the vehicle's ignition to prevent it from being started, a crucial feature if the vehicle is stolen.

4. Guidance Plan

Also around $34.99/month or $349.90/year, this plan is for those who rely heavily on navigation:

• Turn-by-Turn Navigation: Provides spoken, step-by-step directions to destinations.
• Advanced GPS: Enhanced accuracy for navigation services.
• Destination Download: Allows sending destination information from a smartphone directly to the vehicle's navigation system.

5. Safety & Security Plan

The most comprehensive package (around $49.99/month or $499.90/year), this plan combines the features of the Security and Guidance Plans, offering a complete suite of safety, security, and navigation services.

Business and Fleet Services

OnStar also caters to businesses with customised plans for vehicle fleets. These can include:

• Vehicle Location Assistance: Real-time tracking of fleet vehicles.
• Fleet Driver Management: Insights into driver behaviour and performance.
• Business Vehicle Diagnostics: Monitoring vehicle health for fleet maintenance.

Data Plans and Add-Ons

Beyond the core service plans, OnStar offers:

• Data Plans: For in-vehicle Wi-Fi hotspots, with varying data allowances (e.g., 1GB to 20GB per month).
• Add-On Services: Such as Family Link for tracking family members' vehicles or OnStar Guardian, a personal safety app usable even outside the vehicle.

The OwnStar Vulnerability: A Security Researcher's Findings

A significant concern has emerged regarding the security of OnStar's RemoteLink mobile application. Security researcher Samy Kamkar unveiled a device, dubbed "OwnStar," which he claims can exploit a vulnerability to gain unauthorised access to OnStar-enabled GM vehicles. This device, built using a Raspberry Pi and costing less than $100, reportedly works by intercepting communication between the RemoteLink app and OnStar's servers.

How OwnStar Works (Theoretically)

Kamkar's research suggests that OwnStar can perform a type of attack known as a Man-in-the-Middle (MITM) attack. In essence:

1. The OwnStar device intercepts the communication when a user opens the OnStar RemoteLink app on their smartphone.
2. It then sends specially crafted data packets to the victim's device.
3. These packets exploit a privilege escalation flaw within the mobile software.
4. This allows the attacker to acquire high-level user credentials.
5. Once access is granted, the attacker can remotely control various vehicle functions, including unlocking doors, starting the engine, and sounding the horn.

Kamkar demonstrated these capabilities in a video, showcasing the remote control of a vehicle's functions. He noted that the exploit targets the mobile application's communication protocols, rather than a fundamental flaw in the vehicle's hardware itself.

GM's Response and Mitigation

General Motors has acknowledged the cybersecurity concerns and stated their commitment to customer safety. In response to Kamkar's findings, GM issued a statement:

"Cybersecurity is a global issue facing virtually every industry today, and a lot of work continues to been done at GM in this space. Our customers' safety and security is paramount and we are taking a multi-faceted approach to secure in-vehicle and connected vehicle systems, monitor and detect cybersecurity threats, and design vehicle systems that can be updated with enhanced security as these potential threats arise."

GM has reportedly been receptive to Kamkar's research and is working on a resolution to patch the vulnerability. In the interim, users of the OnStar RemoteLink app have been advised to refrain from using the app until an update and patch are provided.

Understanding the Risks

While the OwnStar exploit highlights a potential security gap, it's important to understand the context:

• Targeted Attack: This is not a widespread, automatic hack. It requires a physical device to be in proximity to intercept communications.
• Mobile App Vulnerability: The reported flaw lies within the mobile application's handling of communications, not necessarily the core vehicle systems.
• Ongoing Efforts: Carmakers like GM are increasingly investing in cybersecurity to protect against such threats.

Is OnStar a Good Choice for Vehicle Safety and Security?

OnStar provides a valuable array of services that can significantly enhance a vehicle's safety and security profile. Features like Automatic Crash Response, Stolen Vehicle Assistance, and Remote Ignition Block offer tangible benefits and peace of mind.

Comparing OnStar Plans

Choosing the right OnStar plan depends on your priorities. Here's a simplified comparison:

Frequently Asked Questions

How to get directions sent to your vehicle using OnStar?

You can typically send directions to your vehicle using the OnStar RemoteLink mobile app or by calling an OnStar advisor. The Guidance Plan and Safety & Security Plan include features like Destination Download and Turn-by-Turn Navigation, which facilitate this process.

Does OnStar offer a business vehicle plan?

Yes, OnStar offers customised plans specifically designed for fleet and commercial vehicles, including features for location tracking, driver management, and diagnostics.

What is the primary concern with OnStar's RemoteLink app?

The primary concern, as highlighted by researcher Samy Kamkar, is a potential vulnerability that could allow an attacker to intercept communication and gain unauthorised remote control of the vehicle.

What should users do if they are concerned about the OnStar vulnerability?

While GM is working on a patch, users have been advised to temporarily refrain from using the RemoteLink app until the vulnerability is addressed and an update is released.

The Future of Connected Car Security

The OwnStar incident serves as a stark reminder of the importance of robust cybersecurity in the automotive industry. As vehicles become more connected and reliant on software, the potential attack surface expands. Manufacturers like GM are investing heavily in over-the-air updates, intrusion detection systems, and secure coding practices to stay ahead of emerging threats. For consumers, staying informed about software updates and exercising caution with mobile applications linked to their vehicles is crucial.

OnStar continues to evolve, aiming to balance advanced connectivity with stringent security measures. While the recent vulnerability raises valid concerns, the proactive response from GM suggests a commitment to safeguarding its customers. Ultimately, the convenience and safety features offered by OnStar remain compelling for many drivers, but awareness of potential risks is paramount in this increasingly digital automotive world.