OnStar again

[FlamingRain]

I recently saw a commercial for OnStar, featuring the remote unlocking function. Some quick googling didn't turn up anything useful about anyone having cracked the system. But, from what I've read, you simply call OnStar and give them your PIN. Now, the PIN is only 4 digits long, so, that's some pretty easy brute-forcing there. And, the OnStar stuff works through GSM cellular communications, which is encrypted IIRC. So, eavesdropping on a stranded person to get their PIN doesn't seem viable. But, what's to stop you from eavesdropping on the signal that's sent to the car. You already know what range to look at, it's the GSM band, that's pretty simple. So, get a bunch of people together, lock your keys in your car, call OnStar, and log the signal that comes down. Enough of this logging and I imagine you'd be able to begin to crack however the system works. I'm assuming that this 'very secure' system probably runs using the PIN as input and a timer that's synchronized between your car and the data center.

So, this brings up a few questions. How does the car know the PIN? Well, on the OnStar site, they say that you can call them and change your PIN by providing the old one and the new one. So, if your car does know your PIN, they have to send it over GSM to the car. That sounds like the classic scenario for a record and playback attack to me. To overcome the attack, the car would have to also communicate back to the data center with the PIN it knows over GSM. So, let's assume that you can't do a playback attack against the car because the system is 'very secure'. Now, (and this is the part I love), if you forget your PIN, just call them and they'll send it IN THE MAIL (because no one will take letters out of your mailbox). Now, I'm only 15, so I don't even have a car and certainly couldn't afford OnStar (nor want to worry about my privacy) if I did. I can't really test any of this out from here. Oh well.

So, does anyone know if some people have tried to crack the OnStar system yet? I highly doubt it since OnStar supposedly only starts tracking a vehicle if it's reported stolen. For that, it'd be easier to use some cheap tools and a coat hanger to unlock the door and then disable both the GSM and GPS systems. Well, just some thoughts about the security of this remote unlocking.

[D0pp139an93r]

Honestly, GM is not secure at all, I work for AAA, we actually handle all of GM's road service calls... I can tell you the key code for any GM vehicle being driven right now...

As far as OnStar goes, that is still handled by GM... I'm trying to figure out exactly how it works right now. I'm guessing exactly what you said...

As far as the PIN, I believe the PIN is only used for personal identification, not as authentication for the vehicle. I believe that the vehicle side of it uses the same key code/VATS for the unlocking.

BTW, coat hangers can't really be used to open very many newer vehicles, you actually need to shell out about $1 for a slim jim. (Available at many dollar stores.)

[nihil]

Flaming Rain,

Hi mate, let's sort your math out first?

Is there a sum of an inifinite geometric series? Well, that all depends on what you consider a negligible amount.

Wrong............the sum of anything infinite is infinity itself...........think about it? (definition, not calculation?)

I would not trust this "lazy crap" at all........... to all you who work for them. I telephone my bank, and do business that way. I like to do things personally, unless it involves illegality that I would not enjoy personally.

These clever systems will easily be circumvented from motor cars by means of a blowtorch? A
little squirt of liquid nitrogen? a house brick? a shim? Your average car can be stolen inside 30 seconds.

You are suggesting a "social engineering" approach to circumventing this security........I would suggest a Colt .45 Auto.

Anyway, you cannot lock yourself out of a good quality modern (certainly European) auto? And how would you know that this service was activated anyways?

Sounds like an urban legend based rip-off to me.............aimed at old people

I am disgusted

Just my thoughts

[D0pp139an93r]

A slim jim, a screwdriver, and a knife will steal 95% of all cars on the road...

[Raion]

Well, couldn't the signal sent to the car be interpreted by a scanner, recorded then sent back again to the car? I guess you can easily social engineer someone to lend you their keys then 'accidently' leave it in start your scanner and get the code or if they don't have a cellular phone lend them yours while recording the conversation on your cell phone and get the PIN number then follow the guy and when he gets out call up and take his car. Or you can go old fashion and break the windows, disable the alarm and steal the car

[!mitationRust]

Originally posted here by D0pp139an93r
Honestly, GM is not secure at all, I work for AAA, we actually handle all of GM's road service calls... I can tell you the key code for any GM vehicle being driven right now...

As far as OnStar goes, that is still handled by GM... I'm trying to figure out exactly how it works right now. I'm guessing exactly what you said...

As far as the PIN, I believe the PIN is only used for personal identification, not as authentication for the vehicle. I believe that the vehicle side of it uses the same key code/VATS for the unlocking.

BTW, coat hangers can't really be used to open very many newer vehicles, you actually need to shell out about $1 for a slim jim. (Available at many dollar stores.)

I was having some extra keys made to lighten my key ring because, I read in a mag that a heavy key ring will actually damage the ignition? Anyway I was having a little chat with the lock smith about slim jims. He said with some of these new model cars that if you attempt to slim jim them that bar that used to be medal is now break away plastic, meant to give and break with the slim jim technique is apllied. 2 cents

[Tiger Shark]

Thay also use a double plate system so a slim jim has to go down, up then down again to get to the locking mechanism on many cars in the last few years..... I know, we had a locksmith there for 2 hours in sub zero temps trying to get into a rental car - and that was 8 years or more ago... We ended up having to damage the car to get in...... The engine was still running..... Gotta love ex-wives....

[FlamingRain]

Raion, I believe that OnStar is counting on the encryption used by GSM to help stop those scanning attacks. Here's a link to the algorithm used: http://www.chem.leeds.ac.uk/ICAMS/people/jon/a5.html . But, here's a link to the cracking of GSM by some researchers: http://www.cryptonomicon.net/modules...rticle&sid=448 .

So, it seems that eavesdropping may be possible (via man in the middle apparently). So yeah, when I get a car, I'm not ever going to get OnStar installed. I'm gonna buy one of those strong brake-lock deals. I was watching this show about repo men and car thieves and stuff and saw how easy most car lock systems are broken into. Those steering wheel clubs for instance, can be either broken via a metal tube or by sawing into the steering wheel itself. Some cheap brake-locks can have their locks shot off. I'm gonna definitely go with a hardened steel brake lock instead of any fancy security systems. If I want to track my stolen car, I'll wire my car up custom and just leave a cellphone embedded in the back seat.

Why would anyone pay OnStar subsription fees when it's cheaper to simply carry an extra key in your wallet and a cellphone to call for help?

[Spyder32]

I dunno much about the "stolen car industry" but what does a slim jim do for you when your trying to open a car? I'm really confused, I never knew you could use it but how?

[untuchable-me]

i agree with nihil besides, way try to crack the system if all you have to do is look for a car that is unlocked anyway...... (people are more trusting then they should be these days)

unless your up for the chalenge.........