Security Review: GM Onstar

By chrt00 at 10:07 pm on February 10, 2008 | 7 Comments

GM’s OnStar service has been a sucess for several years now. It gives many services to people with GM vehicles. It provides some very powerful features such as GPS tracking, stolen vehicle slowdown, remote unlock and emergency services. However the technology imposes potential for exploitation.

Assets & Security Goals

The vehicle itself is a valuable property asset, as vehicles can be sold as parts (which can be worth more than the car) or for illegal export.

The vehicle’s tracking information also is valuable information in learning about the vehicle’s owner.


Other automakers may want to tarnish GM’s reputation.

Enemies of the vehicle’s owner may use it OnStar to their advantage.

Car theives can use OnStar to potentially find vehicles.


Since OnStar is both a computerized and call-center based service, social engineering techniques can be used to make the vehicle vulnerable to exploitation.

If someone knew the OnStar specification, the attacker could control some vital parts of the system (locking, fuel system, lights).


“Secure cellular connection that is authorized and authenticated by an OnStar server ” By authenticating communications, the vehicle should be more secure. Forgery of messages should be prevented by authorization given the system implements the proper authentication controls.

Security by obscurity – the OnStar technology is proprietary and is as well as well known as Windows CE or other platforms with vulnerabilities that are used in similar technologies (BMW, Fiat, Mitsubishi)

Since the OnStar system is not based on a well documented system, it is harder to find vulnerabilities other than reverse engineering, inspecting at the assembly level, or insider information.

There are valuable assests tied in with OnStar. However, due to the obscurity of the system, it should be relatively secure until the vulnerabilities are found. Social engineering could bypass these methods due to the call center approach, and could pose to be the biggest problem with securing the vehicle and its contents as an asset.

Filed under: Security Reviews7 Comments »


  • 1
    Get your own gravatar for comments by visiting

    Comment by raind

    March 21, 2008 @ 5:47 am

    Gee you think? would have been more interesting, ie: slowing down a car remotely, have you looked at the specs?

  • 2
    Get your own gravatar for comments by visiting

    Comment by James Youngman

    March 25, 2008 @ 4:38 pm

    Given the relative prevalence of GM vehicles I’m surprised that this writeup doesn’t even consider insider attacks. Most employees will know many GM owners.

    I’m sure at least one GM employee knows at least one GM owner that they would contemplate harming. A requirement for the effectiveness of the security design is that it be unfeasibly difficult or costly for such an insider to perform an attack.

  • 3
    Get your own gravatar for comments by visiting

    Comment by Avery Sawaba

    March 25, 2008 @ 7:27 pm

    “Other automakers may want to tarnish GM’s reputation.”

    Completely unnecessary. GM is already fully capable of doing that on their own.

    Am I missing the review somewhere? This seems like a high-level idea for a review based mostly on speculation, rather than any research of the subject. If an actual review or assessment were performed, I’d be interested in the results!

    Surely, it must be possible to glean specifications for OnStar, if not through official, exhaustive documentation, then surely a list could be created via first-hand experiences, or OnStar feature listings from GM marketing.

  • 4
    Get your own gravatar for comments by visiting

    Comment by Employee

    May 21, 2008 @ 8:59 pm

    I actually work in one of the OnStar centers. The social engineering, while still the most feasible method to abuse the OnStar system, would still be very difficult. I went through 6 weeks of training before even getting on the phones, and a lot of that was security for the clients. There are dozens of supervisors on the floor at any given time watching to make sure we go through proper security processes, and if we don’t verify certain pieces of security information, and sign off with our name that we verified it then all the personal information cannot be given out. If it is given to the wrong person, it can easily be tracked back to who gave it out, and that is likely to be followed by termination of employment, and charges by the company.

    And that is also the same thing for having a grudge against someone with a GM vehicle. Every button I press, and every action I do to a vehicle is kept on file. Granted, not every case is reviewed, but as soon as a complaint is filed, the case is reviewed within a matter of hours, and the advisor that was on the case is either approached if he’s working, or they will actually call us to come in so they can speak with us. It has happened before, and I’ve seen it happen, but I would not have wanted to be that person.

    And the article is correct about the OnStar system being very hard to find information on. Everything inside the building is labelled as “OnStar Proprietary information”, meaning it can’t leave the building. Even my schedule is labelled as that. Hell, I’m not even allowed to have a pen/pencil and paper at my desk, because we may write something down and take it home that we aren’t supposed to. If we need to write anything down, we are given a whiteboard and erasable marker (both again being proprietary somehow) that can’t leave the building. And with all the supervisors around constantly watching us, they’d be able to tell if there was any personal information written down about a person that shouldn’t be, whether it’s the name or a credit card number. I know I’ve received a wristslap at work for writing down a clients name and cell phone number, because I had to call them back as the car battery was dead, and the OnStar system would shut down after 5 minutes. We don’t have printers, and the OnStar environment is almost completely paper free.

    I could probably be fired even just for talking about that stuff, even though it’s positive for the system and doesn’t really expose any exploits, it’s still talking about the system in ways that most people don’t realize.

  • 5
    Get your own gravatar for comments by visiting

    Comment by Norman

    August 4, 2008 @ 2:19 pm

    Did OnStar ever fix the problem where, if law enforcement was monitoring conversations inside the vehicle, and the vehicle was involved in an accident, the vehicle couldn’t call for help? Hmmm….would that also include occupants being on a phone call?

    If the car isn’t being tracked “actively”, does OnStar still keep track of the vehicle’s location? How long do they keep this information, and how much effort is required to retrieve the information? ie. Can the owner get this information; can Police get this information on request; or do they require a court order?

  • 6
    Get your own gravatar for comments by visiting

    Comment by Anuya

    March 2, 2009 @ 11:15 pm

    What are some ’06 or newer GM hatchbacks that are likely to have OnStar? At least in my area, OnStar isn’t a common feature on the Malibu Maxx so I’m considering other hatchback options in the GM family.Ones I’ve already seen and don’t want: GMC Acadia & Cadilac SRX (too expensive) Saturn Astra (too small) Chevy Equinox (too environmentally unfriendly) and Chevy Uplander (too minivan!!).I’m looking into the Chevy HHR. What else have I missed?

  • 7
    Get your own gravatar for comments by visiting

    Comment by Ryan McElroy

    March 3, 2009 @ 4:05 pm

    OnStar Employee,

    Thanks for sharing that information with us. I certainly hope you don’t see any repercussions for it — I think what you wrote is fair and provides no exploitable or proprietary information. It is interesting how seriously OnStar takes its information security. If more companies did that, we would certainly have fewer stories about huge information leaks through lackadaisical security protocols.

RSS feed for comments on this post