General Motors and Shanghai OnStar (SOS) iOS Client

Act Now9.8ICS-CERT ICSA-17-234-04Aug 22, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Shanghai OnStar iOS Client version 7.1 contains multiple critical vulnerabilities related to lack of encryption (CWE-312), missing security controls (CWE-300), and weak authentication (CWE-287). These vulnerabilities allow remote attackers without credentials to intercept sensitive vehicle telemetry data, location information, and potentially inject commands to control connected vehicle functions.

What this means

What could happen

An attacker could intercept unencrypted communications between the Shanghai OnStar iOS client and remote services, potentially capturing sensitive vehicle telemetry, location data, or commands that could alter vehicle operation or disable safety features.

Who's at risk

Fleet operators and individual vehicle owners using General Motors or Shanghai OnStar remote vehicle management features on iOS devices. This affects any organization managing connected vehicle fleets, including municipal transit authorities, corporate vehicle fleets, and emergency response services that rely on remote diagnostics, location tracking, or remote vehicle commands.

How it could be exploited

An attacker with network access (such as on the same Wi-Fi network or via a compromised network node) can intercept the unencrypted communications between the iOS client and OnStar backend services. They could capture sensitive data or, depending on the specific vulnerability, inject commands into the communication stream to control vehicle functions.

Prerequisites

Network access to the same network segment as the iOS device or ability to intercept traffic between the device and OnStar servers
The Shanghai OnStar iOS client application version 7.1 running on the target device
No authentication bypass needed due to weak credential validation (CWE-287)

remotely exploitableno authentication requiredlow complexity to exploitno patch availableunencrypted communicationsaffects vehicle command and control

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

Shanghai OnStar iOS Client:7.1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDo not use the Shanghai OnStar iOS Client version 7.1 until a patched version is available from the vendor. Use alternative remote vehicle monitoring methods if available.

HARDENINGRestrict network access to the iOS device running OnStar—keep devices on separate secured networks from critical operational systems and isolate from shared Wi-Fi networks in vehicles or facilities.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for any unusual vehicle telemetry changes or unexpected remote commands executed on connected vehicles. Log all remote vehicle operations for audit purposes.

HOTFIXContact GM and Shanghai OnStar to request availability of a patched version of the iOS client and security advisories on the specific vulnerabilities.

CVEs (3)

CVE-2017-9663 CVE-2017-12697 CVE-2017-12695

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dffbdcd9-7d0f-4ecf-996e-4df0bd2e13b6