A bug in Sirius XM’s connected vehicle services could have allowed for remote automobile start-up, unlocking, location, and lighting control as well as horn activation. The weakness was found by a team of security researchers led by Sam Curry, a security engineer at Yuga Labs, who detailed their findings in a thread on Twitter (via Gizmodo).
The telematics and infotainment systems used by a number of automakers, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, are powered by Sirius XM in addition to offering a satellite radio subscription. These devices gather a tonne of easily overlooked data about your car, which may have repercussions for your privacy. The US government was going to buy the telematics-based location data of over 15 billion cars, according to a story from Vice last year.
While some infotainment systems collect data on your car’s GPS location, speed, turn-by-turn directions, and maintenance needs, others track call logs, voice commands, text messages, and other data. Vehicles can now offer “smart” features like automated crash detection, remote engine starting, stolen vehicle alerts, navigation, and the capability to lock or unlock your vehicle from a distance thanks to all of this data. All of these functions are available from Sirius XM, which also claims that over 12 million vehicles on the road are using its connected vehicle systems.
However, as Curry demonstrates, bad actors can take advantage of this system if the proper safeguards aren’t in place. In a statement to Gizmodo, Curry says Sirius XM “built infrastructure around the sending/receiving of this data and allowed customers to authenticate to it using some form of the mobile app,” like MyHonda or Nissan Connected. Users can log into their accounts on these apps, which are linked to their vehicle’s VIN, to execute commands and obtain information about their cars.
It’s this system that could give bad actors access to someone’s car, Curry explains, as Sirius XM uses the VIN linked with a person’s account to relay information and commands between the app and its servers. By creating an HTTP request to fetch a user’s profile with the VIN, Curry says he was able to obtain the vehicle owner’s name, phone number, address, and car details. He then tried executing commands using the VIN and discovered that he could remotely control the vehicle, allowing him to lock or unlock it, start the car, and perform other functions.
Curry says he alerted Sirius XM of the flaw and that the company quickly patched it. In a statement to Gizmodo, the company said the vulnerability “was resolved within 24 hours after the report was submitted,” noting that “at no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.” Sirius XM didn’t immediately respond to The Verge’s request for comment.
Separately, Curry uncovered another flaw within the Hyundai and MyGenesis apps that could also potentially let hackers remotely hijack a vehicle, but says he worked with the automaker to fix the issue. White hat hackers have found similar exploits in the past. In 2015, a security researcher uncovered an OnStar hack that could’ve let bad actors locate a vehicle remotely, unlock its doors, or start the car. Around the same time, a report from Wired showed how a Jeep Cherokee could be remotely hacked and controlled with someone at the wheel.
Subscribe to Google News.
