This $100 device can locate, unlock and remote start GM cars

---

OwnStar is a device that can locate, unlock and remote start any vehicle with OnStar RemoteLink after intercepting communication between the RemoteLink mobile app and OnStar servers.

---

When director Sam Esmail was casting for his latest cyberpunk–thriller TV series Mr. Robot, we’re surprised serial hacker Samy Kamkar wasn’t in the running for the star role. That’s because, in just the last year alone, the 29-year-old has devised a plug-in box capable of tracking everything you type, a 3D-printed robot that can crack combination locks, and his own radio device for online anonymity. Added to that growing list is a tablet-sized unit can easily tap into and wirelessly take control of a GM car’s futuristic features.

Undoubtedly, car hacking will be a hot topic at this year’s Black Hat and DEFCON events. Cognizant of this, the Los Angeles-based entrepreneur has created what he’s calling OwnStar, a device that can locate, unlock and remotely start any vehicle with OnStar RemoteLink after intercepting communication between the RemoteLink mobile app and OnStar servers.

As you can see in the video below, the system is driven by a Raspberry Pi and uses an ATmega328 to interface with an Adafruit FONA for cellular connection. After opening the OnStar RemoteLink app on a smartphone within Wi-Fi range of the hacking gadget, OwnStar works by intercepting the communication. Essentially, it impersonates the wireless network to fool the smartphone into silently connecting. It then sends specially crafted packets to the mobile device to acquire additional credentials and notifies the attacker over 2G about the new vehicle it indefinitely has access to, namely its location, make and model.

First reported by WIRED, Kamkar has revealed that if a hacker can plant a cheap, homemade Wi-Fi hotspot somewhere on an automobile’s body — whether that’s under a bumper or its chassis — to capture commands sent from the user’s smartphone, the results for vulnerable car owners could range from pranks and privacy breaches to actual theft.

With the user’s login credentials, an attacker could do just about anything he or she wants, including tracking a car, unlocking its doors and stealing stuff inside (when carjacking meets car hacking), or starting the ignition from afar. Making matters worse, Kamkar tells WIRED that remote control like this can enable a malicious criminal to drain the car’s gas, fill a garage with carbon monoxide or use its horn to drum up some mayhem on the street. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.

It’s evident that Kamkar’s objective here isn’t to help thieves and endanger the lives of drivers; instead, he is hoping to utilize OwnStar to raise awareness around the vulnerabilities of connected cars. Fortunately though, the actual issue lies on the mobile software and not the GM vehicles themselves. The carmaker has already been receptive of this discovery and plans to fix the matter at hand. Until then, the hacker advises owners to refrain from opening the app until an update has been provided by OnStar.

Intrigued? Kamkar says that he will provide more details around this and other hacks at DEFCON, which he will share on his website as well. Until then, you can watch the demonstration that was conducted on a friend’s 2013 Chevy Volt.

NOTE: Kamkar has confirmed that OnStar has indeed resolved the vulnerability and a RemoteLink app update has been released.

Hacker builds an impressive ProxyHam alternative

---

ProxyGambit boasts twice the radio range of the ProxyHam, as well as unlimited reach with GSM.

---

While many of us have been scratching our heads as to what happened to the ProxyHam following its sudden disappearance, Samy Kamkar has surfaced with his own take on online anonymity. The hacker has created what he calls an “advanced resurrection of ProxyHam,” also known as ProxyGambit — a device that enables users to access an Internet connection from anywhere on Earth without ever revealing their IP address or location. 

The news of ProxyHam demise came over Twitter when Rhino Security, the consultancy run by the project’s creator Ben Caudill, announced that the was being pulled from the DEFCON agenda. The tweet stated, “Effective immediately, we are halting further dev on #proxyham and will not be releasing any further details or source for the device.”

The $238 ProxyGambit has one-upped its predecessor, given that its direct line-of-sight point-to-point link boasts a range of up to six miles, more than double ProxyHam’s two-and-a-half miles. And impressively, it can work anywhere on Earth via 2G. It can use a reverse-tunneled GSM bridge that connects to the Internet and exits through a wireless network anywhere in the world.

“While a point to point link is possible, the reverse GSM bridge allows you to proxy from thousands of miles away with nothing other than a computer and Internet with no direct link back to your originating machine,” Kamkar explains.

Both methods proxy connection through local Wi-Fi networks near the gadget, shielding and making it more difficult to determine one’s true whereabouts, IP and identity. The ProxyGambit consists of two Adafruit FONA GSM breakout boards, any two ATmega328 Arduino boards and two Raspberry Pis. The FONA uses a SIM800 chip to link the Arduino to the GSM to produce a 2G Internet connection. Meanwhile, the Arduino serves as a serial connection over a reverse TCP tunnel and provides a software proxy layer between the Raspberry Raspberry Pi’s UART and the FONA. One of, if not, the most vital parts of the project is the Pi, which drives the Linux serial link and bridges the public Wi-Fi and radio connection.

Beyond all that, Kamkar employs a 2.5A USB hub, an SD card to host the operating system and data, a Wi-Fi card depending on how far a user would like the ProxyGambit to reach, and a LiPo battery to power the FONA.

When all is said and done, the hacker does emphasize that this is merely a proof of concept and recommends that any potential builders proceed with extreme caution.

“The fragmentation of data through alternate mediums is a useful and effective concept and those interested in privacy, anonymization, or deanonymization should explore this area further. Entropy is both gained and lost with these methods and many risks are involved when deploying any system of this nature,” he concludes.

Intrigued? Head over to Kamkar’s page, where he has made all of the ProxyGamit’s source code and instructions available.

Now you can build your own DIY phone with Arduino

---

Adafruit’s Limor Fried shows us how to create your own $125 phone using Arduino and a FONA Shield.

---

Walking into your local Verizon Wireless store or going online to buy a gadget is so 2014. Instead of shelling out hundreds of dollars for that iPhone or Samsung Galaxy, why not make your own for a fraction of the cost? Nowadays, nearly two-thirds of the American population own a smartphone, and for many, these devices are a key entry point to the online world. But what about the age of basic cellphones, like that old-school Nokia 5110, which packed just enough features to communicate with your friends and family via text or voice, keep busy playing Snake and set morning alarms? If you’re looking for something reminiscent of the late ‘90s, then you’ll love Adafruit’s newly-revaled Arduin-o-Phone — the brainchild of Limor Fried (aka Lady Ada) herself.

While you may not be able to accept Facebook friend requests, reply to emails or browse the web, this DIY project packs all of the necessary functions. Even better, it doesn’t require an extensive lineup of supplies to get started. As its name would imply, the Arduin-o-Phone is based on an Arduino Uno (ATmega328) along with a few other components including a FONA Shield for cellular network connection to make calls, a 2.8” TFT Shield for its resistive touch display, a GSM antenna and SIM card, and a LiPo battery for power. Additionally, the device can either be used with a headset or a speaker and mic combination for those looking for a more “hold it up and talk” style.

Designed with flexibility in mind, the capabilities of the Arduin-o-Phone can be expanded upon, or simply left in its barebones form. Using Adafruit’s libraries, Makers can devise their own dialer with less than 200 lines of code, as well as create their own interface and customize an app using the Arduino IDE.

“Most of the soldering happens on the FONA shield. Don’t forget to solder it with stacking headers,” Fried advises.

To piece it all together, attach the mini speaker and wired electret microphone, solder the vibrating motor disc, and add the LiPo battery. From there, insert the SIM card and GSM antenna into the uFL connector, and plug the FONA Shield onto the Arduino. Connect the Uno to the computer and upload the Arduin-o-Phone sketch.

And voilà, you just made your own phone! Intrigued? Check out a step-by-step breakdown of the build on Adafruit, and access its code on Github here.

This smart packaging system will revolutionize gift-giving

---

Now you can “be present” when your gift to someone else is received and opened. 

---

Winston Churchill once said, “We make a living by what we get. We make a life by what we give.” Whether it’s a holiday, a special occasion or simply “just because,” many folks find the act of giving to be much more enjoyable (and gratifying, of course) than actually receiving a new toy, accessory or gadget themselves. However, when the giver and its intended recipient live far from one another, it gets a bit more difficult to experience the moment of unboxing. And so, FROLIC hopes to bridge that gap with their new project Omni Present. 

Andrew Spitz, who happens to be the co-founder of the Dutch design studio, has a mother who lives in France. Despite being in separate countries, Spitz wanted to create a way to “be there” when his mom opened his package to her. With this in mind, the aptly named smart packaging system was devised to connect gift senders to its receivers as if they were both in the same place at the same time.

When the present is opened, exposure to light triggers a sensor inside to automatically dial the mobile phone of the sender. The sender can then communicate with the recipient through the package in real-time, enabling them to share the experience together.

The fully-functional prototype was brought to life using an Arduino Nano (ATmega328), an Adafruit FONA Mini Cellular GSM module and some custom electronics. Once completed, the team shipped it out into the world to be tested, which was very well received — especially by Spitz’s mother in France.

Interested in learning more? Head over to the project’s official page, or watch it in action below.

Devising the ultimate Ding Dong Ditch hack

Admit it: As a child, you all have played some good ol’ Ding Dong Ditch. The practical prank — whose name has a number of variances from knock down ginger to knock knock run — dates all the way back to 19th century England. It involves knocking on the front door (or ringing the bell) of a neighbor, then running away before the door can be answered. Now in the 21st century, a Maker by the name of Samy Kamkar is ushering the vintage game into the digital-savvy era.

Kamkar recently hacked into his friend’s wireless doorbell (using less than $100 in equipment) in such a manner that whenever he sent a text message to the device, it would ring. Even better, it’s also a surefire way to know that the unknowing victim will come outside to an empty doorstep.

To bring this idea out of the 19th century simply called for a $14 software defined radio, a GSM breakout board and an RF transmitter to transmit custom signals. With just a little extra hardware and software support from an Arduino Nano (ATmega328) and some reverse engineering of a proprietary radio signal, he was well on his way to the ultimate prank.

In order to accomplish this feat, Kamkar first needed to know the frequency, the modulation scheme, as well as what the doorbell was sending. Though some of the information could be revealed by just finding the FCC ID, the Maker discovered a much better way. While his friend was out of house, Kamkar rang the doorbell several times while watching the waterfall view with an RTL-SDR TV tuner. In his efforts to capture and demodulate the signal, he observed that the bell was transmitting at around 433.8 MHz.

From there, the Maker examined the audio waveform in Audacity, which revealed that the doorbell used On-Off Keying — or just turning the radio on for a binary “1″ (high signal at 750us) and off for a binary “0” (lows/no signal also appear to be in blocks of 750us). And, with just 434MHz ASK RF Transmitter from SparkFun, Kamkar was able replicate the output of the doorbell.

The Maker says that creating the code to trigger this is pretty simply once you’ve created an array with all the times the ‘1’ (or high) signal begins.

“You do need to power the Arduino (easy by connecting USB to it), as well as connecting USB to the FONA and a 3.7v Lion/LiPo battery to the FONA and leave it outside the location of the doorbell. Don’t worry as the FONA USB connection simply charges the battery. It’s silly, I know, but it’s necessary. If just running temporary, USB batteries work great too,” Kamkar writes.

For this project, he used a mini GSM cellular breakout board from Adafruit. The module enables him to simply send a text message with the word “doorbell” to the device, which relays a signal to the ATmega328 based Arduino and transmits the created signal to ring the doorbell.

Not only can you watch the ingenious hack in action below, you can read the Maker’s entire step-by-step breakdown here.