Last month security researcher Samy Kamar announced a vulnerability that allowed him to remotely unlock OnStar-enabled GM cars . While that issue has been fixed, it looks like the same vulnerability found in OnStar is also present in BMW Remote, Mercedes’ mbrace and Chrysler’s Uconnect. Kumar told Engadget via email, “the issue itself is the same exact SSL certificate issue that affected OnStar/GM (which they’ve resolved two weeks ago). It was barely any tweaking of the original system — a few lines of code to add support per vehicle.” Uh oh. I’ve updated OwnStar to also unlock cars from and attack BMW Remote, Mercedes-Benz mbrace, and Chrysler Uconnect. https://t.co/qRsjtLnRlM — Samy Kamkar (@samykamkar) August 13, 2015 The OwnStar device intercepts communication between a vehicle and its companion app and sends that information — including login information — to Kamar who then has control of the vehicle via the app and can unlock it. If you’re feeling smug about your vehicle because Kamar hasn’t called it out, you might want to curb that. The SSL certificate issue that allows a person to log in to a vehicle is pretty widespread. “Unfortunately it’s prevalent among half the other mobile unlocking apps I’ve tested, ” Kamar said. A Chrysler spokesperson told Engadget, “Consumer safety and security is our highest priority.” And that it “supports the responsible disclosure and remediation of cyber security vulnerabilities. Consistent with our focus on consumer safety and security FCA US opposes irresponsible disclosure of explicit ‘how to’ information that can help criminals gain unauthorized access to vehicles and vehicle systems.” Kamar won’t be releasing the updated code for OwnStar for at least 30 days so the automakers have a chance to update their systems. But if you’re an automaker that hasn’t been called out by hackers or security researchers, you might want to check your systems anyways. We have contacted BMW and Mercedes Benz for this article and will update when they reply to our queries. Filed under: Misc , Transportation Comments Source: Samy Kamar Tags: BMW, Chrysler, MercedesBenz, OwnStar, SamyKamar, Security
Continue reading here:
OwnStar car hacker can remotely unlock BMWs, Benz and Chrysler
An anonymous reader writes: Researchers from Palo Alto Networks and WeipTech have unearthed a scheme that resulted in the largest known Apple account theft caused by malware. All in all, some 225, 000 valid Apple accounts have been compromised. The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices. Most of the victims are Chinese — the malware is distributed through third-party Cydia repositories in China — but users in other countries have also been affected (European countries, the U.S., Australia, South Korea, and so on). “The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device, ” Palo Alto researcher Claud Xiao explained. “KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.” Read more of this story at Slashdot. 
