Hackers find a way to access your personal information and steal your car at the same time
In context: External apps for cars are a great convenience. I love remote starting my Subaru Legacy to warm it up a bit now that the weather is getting chilly. However, these features are not without some risk. Some are calculated. For example, you can limit the chances of car theft by not unlocking or starting the car unless you have a direct line of sight. Other threats are out of your hands, like the security of the remote app.
Those handy remote car apps that let you start, unlock, honk and even locate your car from your phone may not be as secure as you thought. Hackers figured out a way to do all of these things without needing your login credentials.
The trick worked for several brands, including cars from Acura, Honda, Infiniti and Nissan. It can also work on BMW, Hyundai, Jaguar, Land Rover, Lexus, Subaru and Toyota since they all use the same telematics provider. The list of cars was so broad because it appears that SiriusXM is the company that handles remote services for all of these manufacturers.
More car hacking!
Earlier this year, we were able to remotely unlock, start, locate, flash and honk any remotely connected Honda, Nissan, Infiniti and Acura vehicle, completely without authorization, knowing only the vehicle’s VIN number.
Here’s how we found it, and how it works: pic.twitter.com/ul3A4sT47k
— Sam Curry (@samwcyo) 30 November 2022
The hackers were unaware that SiriusXM itself was in this business, as it is better known for its satellite radio functionality. But if you own any of these brands, you’re probably already aware that SiriusXM is behind your car’s external services since you have to create an account to use them.
Self-proclaimed hacker, bounty hunter and staff security engineer for Yuga Labs Sam Curry explained in a Twitter thread that all he and his team needed to access a driver profile was the car’s Vehicle Identification Number (VIN). This code is unique for all cars. However, it is easily accessible with a stroll through any parking lot since it is visible through the windshield on the dashboard of most vehicles.
It took a while for the researchers to reverse engineer the apps, but since SiriusXM put all their eggs in one basket, they only needed one for a proof-of-concept – NissanConnect. They contacted someone who owned a Nissan and borrowed their credentials to dig further into the authentication process.
As we explored this path, we kept seeing SiriusXM referenced in source code and documentation related to vehicle telematics.
This was super interesting to us, because we didn’t know SiriusXM offered any remote vehicle management functionality, but it turns out they do! pic.twitter.com/Thxkdkdhn4
— Sam Curry (@samwcyo) 30 November 2022
The apps work by communicating with a domain owned by SiriusXM, not with the automaker, as one might intuitively think. Through trial and error, Curry found that the only parameter the NissanConnect app and the hosted authentication server cared about was “customerId”. Changing other fields, such as “wine”, had no effect.
During the snooping, the team discovered that the customerId field had a “nissancust” prefix and a “Cv-Tsp” header that specified “NISSAN_17MY” for the test vehicle. If they changed any of these variables, requests failed. So they put that endpoint on the back burner and concentrated on others.
Several hours later, the researchers encountered an HTTP response that had a “wine” format [that] looked eerily similar to the ‘nissancust’ prefix from the earlier HTTP request.” So they tried passing the VIN-prefixed ID as the customer ID. Surprisingly, it returned a bearer token, which was something of a eureka moment. They tried using the bearer token to send a fetch request for the user profile and it worked!
The format of the “customerId” parameter was interesting as there was a “nissancust” prefix to the identifier along with the “Cv-Tsp” header specifying “NISSAN_17MY”.
When we changed one of these inputs, this request failed.
— Sam Curry (@samwcyo) 30 November 2022
The researchers accessed various customer details via HTTP, including the victim’s name, phone number, address and car details. Using this as a framework, they created a python script to access the customer details of any VIN number. More poking and prodding led Curry to discover that he could not only view account information, but also use the access to send command requests to the car.
“We were able to execute commands on vehicles and retrieve user information from the accounts by only knowing the victim’s VIN number, which was on the windshield,” Curry tweeted. “We were able to remotely unlock, start, locate, flash and honk any remotely connected Honda, Nissan, Infiniti and Acura vehicle, completely unauthorized, knowing only the VIN number [sic] off the car.”
It returned “200 OK” and returned a carriage return! This was exciting, we generated some token and it indexed the arbitrary VIN number as the identifier.
To make sure this wasn’t related to our session JWT, we completely dropped the authorization parameter and it still worked! pic.twitter.com/zCdCHQfCcY
— Sam Curry (@samwcyo) 30 November 2022
Furthermore, API calls for telematics services worked even if the user no longer had an active SiriusXM subscription. Curry also noted that he could opt-in or opt-out of vehicle owners from the service at will.
Don’t panic if you have one of these brands and use the remote functionality. Yuga Labs contacted SiriusXM about the gaping security hole, and it immediately issued an update before the researchers announced the vulnerability earlier this week.
