Cybersecurity researchers identified a security flaw that makes vehicles made by Honda, Nissan, Infiniti, and Acura vulnerable to remote attacks via a connected vehicle service provided by SiriusXM. Researcher Sam Curry stated last week on Twitter that the vulnerability could be used to illegally unlock, start, locate, and honk a car only by knowing the Vehicle Identifying Number (VIN). More than 10 million vehicles in North America, including vehicles from BMW, Acura, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Nissan, Lexus, Toyota, and Subaru, are believed to use SiriusXM’s Connected Vehicles (CV) Services. The system is built to enable a wide range of convenience, security, and safety features, including turn-by-turn navigation, remote engine starting, remote door unlocking, automatic crash notification, assistance with recovering stolen vehicles, and integration with smart home devices. The vulnerability is related to an authorization problem in a telematics application that allowed attackers to take control of affected vehicles remotely and collect victims’ personal information by sending a specially crafted HTTP request with the VIN to a SiriusXM endpoint (“telematics.net”).