I recently wrote about a vehicle hacking demonstration which exposed serious vulnerabilities in a 2014 Chrysler Jeep Cherokee in “Hack my ride.” As expected, the threat extended well beyond that specific make and model and resulted in the recall of 1.4 million vehicles that were affected by the vulnerability.
Don’t feel smug because you don’t drive one of those models because the hits keep coming…
Here’s one that affects GM’s OnStar system, specifically, the mobile app that allows for remote access of vehicle functions. As you can see in this video below, it is possible to create a good deal of havoc with little more than about $100’s worth of equipment.
According Wired.com:
When the driver comes within Wi-Fi range of Kamkar’s $100 contraption, which he’s named “OwnStar” in a reference for the hacker jargon to “own” or control a system, it impersonates a familiar Wi-Fi network to trick the user’s phone into silently connecting.
The consequences?
a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. From across the Internet, they can start the vehicle’s ignition, or use its horn and alarm to create mayhem. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.
The good news? This one should be fixable with a patch to the mobile app.
The bad news? Expect to see more of these sorts of car hacks to come.
WireLurker: Most iPhone and iPad users never get a second thought to malware on their devices. After all, Apple scrubs all the apps that go into their app store, right? And, if you’ve been good and haven’t jailbroken your device, that “walled garden” of security should protect you since there’s no way to instal apps, malicious or otherwise, from other sources, right? Not exactly. What if you download an infected program to your Mac that then passes malware to your iPhone when you connect it via USB? Meet WireLurker. Here’s a description from 
Gyrophone: I’ve posted here before about the possibility of malware surreptitiously turning on the microphone (or camera, yikes!) on a mobile phone turning your trusty sidekick into an always on surveillance device. One of the protections against this sort of attack is that apps, even bad ones, typically need to ask for your permission in order to access the mic (or camera). Of course, if the malware is disguised as a benign program you might be willing to grant access but it turns out that you may not have to. Researchers at Stanford found that the gyroscopes in modern phones that help them know how the device is oriented in your hand. so that the screen can rotate accordingly, are so sensitive that they can pick up the vibrations of ambient sound. In other words, you talk, your phone vibrates, the built-in gyro registers the movement (ever so slight as it may be) and then a program could pick up on this and transmit what you are saying without your knowledge. But wouldn’t you have to grant access to the gyroscope to the malicious program? No, because designers apparently never anticipated this sort of use (abuse?) of that feature. Read more about it and watch a video 
Inside Internet Security 