Researchers have recently discovered a security vulnerability that allows threat actors to remotely attack vehicles through a service provided by SiriusXM. Models from carmakers Nissan, Honda, Acura, and Infiniti have been victims of this new method so far.
Researcher Sam Curry stated last week on Twitter that the flaw could be used to unlock, start, locate, and honk any car only by knowing the vehicle identifying number (VIN). More than 10 million vehicles in North America, including models from Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, are believed to use SiriusXM’s Connected Vehicles (CV) Services.
SiriusXM’s Connected Vehicles Service Exposed
The system is built to enable a variety of convenience, security, and safety features, including turn-by-turn navigation, enhanced roadside assistance, remote door unlocking, remote engine starting, assistance with recovering stolen vehicles, automatic crash notification, and integration with smart home devices.
The vulnerability is related to an authorization flaw in a telematics application that allowed remote attackers to take control of affected vehicles and collect victims’ personal information by sending a specially crafted HTTP request with the VIN number to a SiriusXM endpoint (“telematics.net”).
Not the Only Car Vulnerability
Curry detailed another separate vulnerability, this time affecting Hyundai and Genesis cars. The cars could be abused to remotely control the locks, engines, headlights, and trunks in the case of vehicles made after 2012 using the registered email addresses in the MyHyundai, respectively MyGenesis apps.
We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.
To explain how it worked and how we found it, we have @_specters_ as our mock car thief: pic.twitter.com/WWyY6vFoAF
— Sam Curry (@samwcyo) November 29, 2022
The researchers discovered a technique to skip the email validation stage and remotely take over a target car’s functionalities by reverse engineering the MyHyundai and MyGenesis applications and looking at the API traffic.
Both SiriusXM and Hyundai released patches to address the flaws.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.