Hackers find a way to access your personal information and steal your car at the same time

Hackers find a way to access your personal information and steal your car at the same time

In context: External apps for cars are a great convenience. I love remote starting my Subaru Legacy to warm it up a bit now that the weather is getting chilly. However, these features are not without some risk. Some are calculated. For example, you can limit the chances of car theft by not unlocking or starting the car unless you have a direct line of sight. Other threats are out of your hands, like the security of the remote app.

Those handy remote car apps that let you start, unlock, honk and even locate your car from your phone may not be as secure as you thought. Hackers figured out a way to do all of these things without needing your login credentials.

The trick worked for several brands, including cars from Acura, Honda, Infiniti and Nissan. It can also work on BMW, Hyundai, Jaguar, Land Rover, Lexus, Subaru and Toyota since they all use the same telematics provider. The list of cars was so broad because it appears that SiriusXM is the company that handles remote services for all of these manufacturers.

The hackers were unaware that SiriusXM itself was in this business, as it is better known for its satellite radio functionality. But if you own any of these brands, you’re probably already aware that SiriusXM is behind your car’s external services since you have to create an account to use them.

See also  Simple English emerges as a better option than any English speaking app in India

Self-proclaimed hacker, bounty hunter and staff security engineer for Yuga Labs Sam Curry explained in a Twitter thread that all he and his team needed to access a driver profile was the car’s Vehicle Identification Number (VIN). This code is unique for all cars. However, it is easily accessible with a stroll through any parking lot since it is visible through the windshield on the dashboard of most vehicles.

It took a while for the researchers to reverse engineer the apps, but since SiriusXM put all their eggs in one basket, they only needed one for a proof-of-concept – NissanConnect. They contacted someone who owned a Nissan and borrowed their credentials to dig further into the authentication process.

The apps work by communicating with a domain owned by SiriusXM, not with the automaker, as one might intuitively think. Through trial and error, Curry found that the only parameter the NissanConnect app and the hosted authentication server cared about was “customerId”. Changing other fields, such as “wine”, had no effect.

During the snooping, the team discovered that the customerId field had a “nissancust” prefix and a “Cv-Tsp” header that specified “NISSAN_17MY” for the test vehicle. If they changed any of these variables, requests failed. So they put that endpoint on the back burner and concentrated on others.

See also  La taille du marché du suivi des véhicules devrait atteindre

Several hours later, the researchers encountered an HTTP response that had a “wine” format [that] looked eerily similar to the ‘nissancust’ prefix from the earlier HTTP request.” So they tried passing the VIN-prefixed ID as the customer ID. Surprisingly, it returned a bearer token, which was something of a eureka moment. They tried using the bearer token to send a fetch request for the user profile and it worked!

The researchers accessed various customer details via HTTP, including the victim’s name, phone number, address and car details. Using this as a framework, they created a python script to access the customer details of any VIN number. More poking and prodding led Curry to discover that he could not only view account information, but also use the access to send command requests to the car.

“We were able to execute commands on vehicles and retrieve user information from the accounts by only knowing the victim’s VIN number, which was on the windshield,” Curry tweeted. “We were able to remotely unlock, start, locate, flash and honk any remotely connected Honda, Nissan, Infiniti and Acura vehicle, completely unauthorized, knowing only the VIN number [sic] off the car.”

Furthermore, API calls for telematics services worked even if the user no longer had an active SiriusXM subscription. Curry also noted that he could opt-in or opt-out of vehicle owners from the service at will.

See also  Test du Nothing Phone 1 : un Android avec des lumières funky sur le dos transparent | Smartphones

Don’t panic if you have one of these brands and use the remote functionality. Yuga Labs contacted SiriusXM about the gaping security hole, and it immediately issued an update before the researchers announced the vulnerability earlier this week.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *