I recently saw a commercial for OnStar, featuring the remote unlocking function. Some quick googling didn't turn up anything useful about anyone having cracked the system. But, from what I've read, you simply call OnStar and give them your PIN. Now, the PIN is only 4 digits long, so, that's some pretty easy brute-forcing there. And, the OnStar stuff works through GSM cellular communications, which is encrypted IIRC. So, eavesdropping on a stranded person to get their PIN doesn't seem viable. But, what's to stop you from eavesdropping on the signal that's sent to the car. You already know what range to look at, it's the GSM band, that's pretty simple. So, get a bunch of people together, lock your keys in your car, call OnStar, and log the signal that comes down. Enough of this logging and I imagine you'd be able to begin to crack however the system works. I'm assuming that this 'very secure' system probably runs using the PIN as input and a timer that's synchronized between your car and the data center.

So, this brings up a few questions. How does the car know the PIN? Well, on the OnStar site, they say that you can call them and change your PIN by providing the old one and the new one. So, if your car does know your PIN, they have to send it over GSM to the car. That sounds like the classic scenario for a record and playback attack to me. To overcome the attack, the car would have to also communicate back to the data center with the PIN it knows over GSM. So, let's assume that you can't do a playback attack against the car because the system is 'very secure'. Now, (and this is the part I love), if you forget your PIN, just call them and they'll send it IN THE MAIL (because no one will take letters out of your mailbox). Now, I'm only 15, so I don't even have a car and certainly couldn't afford OnStar (nor want to worry about my privacy) if I did. I can't really test any of this out from here. Oh well.

So, does anyone know if some people have tried to crack the OnStar system yet? I highly doubt it since OnStar supposedly only starts tracking a vehicle if it's reported stolen. For that, it'd be easier to use some cheap tools and a coat hanger to unlock the door and then disable both the GSM and GPS systems. Well, just some thoughts about the security of this remote unlocking.