Threat Watch

SiriusXM Vulnerability Allows Hackers to Unlock and Start Cars Remotely

Cybersecurity researchers identified a security flaw that makes vehicles made by Honda, Nissan, Infiniti, and Acura vulnerable to remote attacks via a connected vehicle service provided by SiriusXM. Researcher Sam Curry stated last week on Twitter that the vulnerability could be used to illegally unlock, start, locate, and honk a car only by knowing the Vehicle Identifying Number (VIN). More than 10 million vehicles in North America, including vehicles from BMW, Acura, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Nissan, Lexus, Toyota, and Subaru, are believed to use SiriusXM’s Connected Vehicles (CV) Services. The system is built to enable a wide range of convenience, security, and safety features, including turn-by-turn navigation, remote engine starting, remote door unlocking, automatic crash notification, assistance with recovering stolen vehicles, and integration with smart home devices. The vulnerability is related to an authorization problem in a telematics application that allowed attackers to take control of affected vehicles remotely and collect victims’ personal information by sending a specially crafted HTTP request with the VIN to a SiriusXM endpoint (“telematics.net”). 

ANALYST NOTES

Curry also discussed another flaw that affects Hyundai and Genesis vehicles manufactured after 2012. The vulnerability could be used to remotely control locks, engines, headlights, and trunks by using the registered email addresses. “By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account that bypassed the JWT and email parameter comparison check,” stated Curry. However, since then, SiriusXM and Hyundai have released patches to fix the vulnerabilities.

https://thehackernews.com/2022/12/siriusxm-vulnerability-lets-hackers.html