Sirius XM flaw could’ve let hackers remotely unlock and start cars

A vulnerability affecting Sirius XM’s connected vehicle services could’ve let hackers remotely start, unlock, locate, flash the lights, and honk the horn on cars. Sam Curry, Yuga Labs’ security engineer, was part of a group that discovered the flaw. They also shared their findings with other security researchers. A thread on Twitter (via Gizmodo).

Sirius XM not only provides satellite radio service, but also powers the telematics system and infotainment systems of a variety auto manufacturers like Acura, BMW (BMW), Honda, Hyundai, Infiniti), Jaguar, Land Rover and Lexus. These systems are collectible A lot of information about your car that’s easy to overlook — and could pose potential privacy implications. In 2013, there were a Report from ViceWe alerted the US government to a spy company that was planning to sell location data telematics-based for over 15 billion vehicles.

While telematics systems obtain data about your car’s GPS location, speed, turn-by-turn navigation, and maintenance requirements, certain infotainment setups might track call logs, voice commands, text messages, and more. All of this data allows vehicles to provide “smart” features, like automatic crash detection, remote engine start, stolen vehicle alerts, navigation, and the ability to remotely lock or unlock your car. Sirius XM has all of these features, plus many more. More than 12 million vehiclesConnected vehicle systems can be used while driving.

However, as Curry demonstrates, bad actors can take advantage of this system if the proper safeguards aren’t in place. According to a statement Gizmodo, Curry says Sirius XM “built infrastructure around the sending/receiving of this data and allowed customers to authenticate to it using some form of mobile app,” like MyHonda or Nissan Connected. Users can log into their accounts on these apps, which are linked to their vehicle’s VIN number, to execute commands and obtain information about their cars.

It’s this system that could give bad actors access to someone’s car, Curry explains, as Sirius XM uses the VIN number linked with a person’s account to relay information and commands between the app and its servers. By creating an HTTP request to fetch a user’s profile with the VIN, Curry says he was able to obtain the vehicle owner’s name, phone number, address, and car details. The VIN enabled Curry to remote control his vehicle. He was able lock, unlock, start and stop the car.

Curry claims that he alerted Sirius XM about the problem and that they quickly fixed it. A statement was made to Gizmodo, the company said the vulnerability “was resolved within 24 hours after the report was submitted,” noting that “at no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.” Sirius XM didn’t immediately respond to The Verge’s request for comment.

Separately, Curry discovered another flawMyHyundai or MyGenesis apps could allow hackers to remotely hijack a vehicle. However, he says that he worked with the automaker in order to resolve the problem. Similar exploits were found in the past by white-hat hackers. 2015 Security researcher found an OnStar hack that could’ve let bad actors locate a vehicle remotely, unlock its doors, or start the car. The same thing happened at the same moment. A report from WiredIt was shown how a Jeep Cherokee works.Remotely hackable and controllable with someone at the wheel