Sirius XM flaw could have allowed hackers to remotely unlock and start cars

Sirius XM flaw could have allowed hackers to remotely unlock and start cars

Sirius XM hackers cars security flaw Photo credit: Bastian Pudill

A Sirius XM flaw could have allowed hackers to remotely unlock and start cars using connected vehicle services.

A vulnerability discovered in Sirius XM’s connected vehicle services may have allowed hackers to remotely unlock and start cars. Sam Currya security engineer at Yuga Labs, worked with security researchers to discover the flaw and outlined their findings.

In addition to offering a satellite radio subscription, Sirius XM operates the telematics and infotainment systems used by several automakers, including Acura, BMW, Honda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota. The systems in these vehicles can collect a lot of data about your car: GPS location, speed, turn-by-turn navigation, maintenance requirements, voice commands on your phone, call logs, text messages and more.

Although this data enables vehicles with these systems to offer features such as automatic collision detection, remote engine start, stolen vehicle alerts, navigation and remote locking and unlocking, hackers can take advantage of this system without the proper security measures in place. In accordance CurrySirius XM “built infrastructure around the transmission and reception of that data and allowed customers to authenticate to it using some form of mobile app,” such as MyHonda or Nissan Connected.

User accounts on these apps are linked to the vehicle’s VIN to execute commands and get information about their car. Curry explains that this is the aspect that could potentially put users at risk, as Sirius XM uses the VIN associated with a person’s account to relay information and commands between the app and its servers. Hackers with this information can get the vehicle owner’s name, phone number, address and car details.

In Curry’s tests, he was able to execute commands using the VIN and discovered that he could remotely control the vehicle, allowing him to start the car, lock or unlock it, and perform other functions such as turning the lights on or off and honking the horn the horn. Curry says he notified Sirius XM of the error, and the company quickly corrected it.

See also  Spain vs Germany live stream: how to watch 2022 World Cup online anywhere

Lynnsey Ross, Sirius XM spokesperson, says the vulnerability “was resolved within 24 hours of the report being submitted” and that “at no time was any subscriber or other data compromised, nor was any unauthorized account changed using this method.”

Curry also reported discovering another bug in the MyHyundai and MyGenesis apps that could allow hackers to hijack a vehicle remotely. However, he worked with the automaker to correct the problem.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *