Yeah I'm not convinced... I don't see anything in the video that appears to be anything other than the normal functionality of the RemoteLink app by an authorized user. All of the functions listed (remote start, vehicle location, etc) are all normal functions of the app. Under normal use, the app will ask for a PIN for any command with security repercussions, and further commands in the same session will not require a PIN. I'd be very interested to know whether this "hack" is somehow capturing that PIN, or whether this is nothing more than a replay attack. Could be nothing more than copying the current login session from one phone to another...
Also, the remote-start thing is way overhyped. Remote starting a Chevy Volt does nothing more than turn on the A/C. You can't actually start the car and drive away without pressing the Power button, at which point the vehicle will look for and interrogate a valid key fob.
The biggest question I have so far is how he's managing to intercept the data stream between the RemoteLink app and GM. Presumably it communicates via HTTP (though one would hope HTTPS) I doubt that little box is intercepting 3G/4G cellular data, so I suspect that this is only possible via an insecure WiFi connection.
I agree, the video doesn't really prove anything. It simply looks like he's using the app normally. I could make an identical video with my own Volt. I assume he's actually doing what he claims, but the lack of detail in the video means it isn't actually proof of anything.
The SIM800L seen in his device is a quad-band GSM module. He also has a Raspberry Pi and a RTL8187L wireless NIC in there. It seems like it's a MITM attack between the app and OnStar's servers, but the GSM module makes me think he might be generating cellular packets to send directly to the target vehicle. The app doesn't even automatically refresh the displayed vehicle status info just by opening the app, so it doesn't seem like simply opening the app would trigger an OnStar-to-vehicle cellular connection that he could take advantage of.
I suppose it could be for intercepting the app's traffic over a cellular connection, but it seems like breaking into that data stream would be more complex than hijacking a Wi-Fi connection (though I admittedly don't know too much about data over cellular connections). It looks like all of the iPhones that are in use are on VZW cellular connections (the screenshot of the map is on Wi-Fi).
Maybe it's just to give the OwnStar cellular connection ability to report the target vehicle info to him from anywhere? That seems a bit excessive for a PoC for local testing, but I guess if he's taking it to DefCon, he would want it to work there.
If he is doing something with a direct cellular connection, it's somewhat mitigated by the fact that '14 and older models use VZW CDMA for OnStar service, while '15 and newer models have switched to AT&T. I'm sure it wouldn't be too hard to use a different cellular radio in the OwnStar, but it does make the target vehicles somewhat heterogeneous.