SiriusXM Vulnerability Allows Hackers to Remotely unlock and start connected cars
Researchers have discovered a security flaw which allows attackers to attack vehicles remotely using an application provided by SiriusXM. Car models from manufacturers Nissan, Honda, Acura as well as Infiniti have been the victims of this method to date.
The researcher Sam Curry stated last week on Twitter that the vulnerability could be exploited to unlock the car’s doors, start, find and even honk at any vehicle with the help of the vehicle’s identification numbers (VIN). There are more than 10 million cars are registered in North America, including models from Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota are believed to utilize the Connected Vehicles (CV) Services.
The system has been designed to provide a range of convenience, security and safety options, including turn-by turn navigation, enhanced roadside assistance remote door unlocking, remote engine start-up, help in reclaiming stolen vehicles, auto-notification of crashes as well as the integration of the smart devices in your home.
The vulnerability is linked with an authorization vulnerability within an application for telematics that allowed remote attackers to control of the affected vehicle and obtain individuals’ personal data through a specially-crafted HTTP request that included the VIN number the SiriusXM Endpoint.
Curry disclosed a different vulnerability, this one affecting Hyundai and Genesis vehicles. The cars can be exploited to remotely control motors, locks, headlights and trunks of vehicles built after 2012 that use registered email addresses within the MyHyundai or MyGenesis applications.
The accounts of the users for these apps are linked to the VIN number of their vehicle to run commands and access information about their vehicle. Curry clarifies how this feature that could put people at risk because Sirius XM uses the VIN associated with an account to send data and instructions between its application as well as its server. Anyone with this information could get the name of the owner of the vehicle telephone number, address as well as the details of the vehicle.
In the tests conducted by Curry, he was able to perform commands through the VIN and was able to remotely manage the vehicle, allowing him to open the doors of the vehicle and lock it as well as unlock it as well as do other things like turning on or off, and honking the horn. Curry claims he alerted Sirius XM of the flaw and the company swiftly remedied the issue.
Lynnsey Ross, Sirius XM spokesperson, claims that the issue “was fixed within 24 hours from the time the incident was reported” and also that “at none time was any subscriber’s or other data affected nor did any account created by an unauthorized user be altered by the same method.”
Curry has also disclosed a issue with his MyHyundai and MyGenesis apps that can allow hackers to take over vehicles remotely. However, he partnered with the automaker to address the problem.