General Motors and Shanghai OnStar (SOS) iOS Client

CVSS 9.8 CRITICAL

Risk Summary

ATTENTION: Remotely exploitable/low skill level to exploit.

CVE-2017-9663 CVE-2017-12697 CVE-2017-12695

Users should not root or jailbreak their phones to prevent the preconditions for attacker access to mobile phone memory, including the ability to read JSON web token encryption keys.
GM HTTP Public Key Pinning rollout is complete to mitigate Man-In-The-Middle attacks for SOS iOS Client Version 7.1. The rollout includes back office and iOS client changes (now version 7.2). For North America iOS OnStar clients, HTTP Public KeyPinning deployment (back office and mobile app) is scheduled for December 2017.
Debugging code was removed from SOS Identity Management servers to prevent attacker access to user accounts.

General Motors (GM), Shanghai OnStar (SOS)

General Motors (GM), Shanghai OnStar (SOS) · Shanghai OnStar iOS Client 7.1

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.