A Sirius XM flaw could have allowed hackers to unlock and start cars remotely using connected vehicle services.
A vulnerability discovered in Sirius XM’s connected vehicle services could have enabled hackers to unlock and start cars remotely. Sam Curry, a security engineer at Yuga Labs, worked with security researchers to discover the flaw and outlined their findings.
In addition to providing a satellite radio subscription, Sirius XM powers the telematics and infotainment systems used by several automobile manufacturers, including Acura, BMW, Honda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota. The systems in these vehicles can collect a lot of data about your car: GPS location, speed, turn-by-turn navigation, maintenance requirements, voice commands on your phone, call logs, text messages, and more.
While this data enables vehicles with these systems to provide features like automatic crash detection, remote engine start, stolen vehicle alerts, navigation, and remote locking and unlocking, hackers could take advantage of this system without the proper safeguards. According to Curry, Sirius XM “built infrastructure around the sending and receiving of this data and allowed customers to authenticate to it using some form of mobile app,” such as MyHonda or Nissan Connected.
User accounts on these apps are linked to their vehicle’s VIN to execute commands and obtain information about their car. Curry explains that this is the aspect that could potentially put users at risk, as Sirius XM uses the VIN linked with a person’s account to relay information and commands between the app and its servers. Hackers with this information can obtain the vehicle owner’s name, phone number, address, and car details.
In Curry’s tests, he was able to execute commands using the VIN and discovered he could remotely control the vehicle, allowing him to start the car, lock or unlock it, and perform other functions like turning the lights on or off and honking the horn. Curry says he alerted Sirius XM of the flaw, and the company quickly patched it.
Lynnsey Ross, Sirius XM spokesperson, says that the vulnerability “was resolved within 24 hours after the report was submitted” and that “at no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”
Curry also reported discovering another flaw within the MyHyundai and MyGenesis apps that could enable hackers to hijack a vehicle remotely. However, he worked with the automaker to correct the issue.