A vulnerability affecting Sirius XM’s connected vehicle services allows hackers to remotely start, unlock, locate, flash and honk cars. Sam Curry, a security engineer at Yuga Labs, worked with a group of security researchers to discover the flaw and outlined their findings in a thread on Twitter (through Gizmodo).
In addition to offering a satellite radio subscription, Sirius XM also supplies the telematics and infotainment systems used by a number of automakers, including Acura, BMW, Honda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota. These systems collect a ton of information about your car that is easily overlooked – and can potentially have privacy implications. Last year’s report Shame drew attention to a spy company planning to sell the telematics-based location information of more than 15 billion cars to the US government.
While telematics systems obtain data about your car’s GPS location, speed, turn-by-turn navigation and maintenance requirements, certain infotainment settings can track call logs, voice commands, text messages and more. All of this data enables vehicles to provide “smart” features such as automatic crash detection, remote engine start, stolen vehicle alerts, navigation, and the ability to remotely lock or unlock your car. Sirius XM offers all of these features and more, saying that more than 12 million vehicles on the road use connected vehicle systems.
However, as Curry points out, adversaries can exploit this system if proper precautions are not in place. In a statement to GizmodoCurry says Sirius XM built “infrastructure around sending/receiving this data and enabled customers to authenticate using some form of mobile app,” such as MyHonda or Nissan Connected. Users can log into their accounts on these apps, which are linked to their vehicle’s VIN number, to perform commands and obtain information about their car.
It’s this system that can give bad guys access to someone’s car, Curry explains, as Sirius XM uses the VIN number associated with someone’s account to pass information and commands between the app and its servers. By creating an HTTP request to retrieve a user’s profile with the VIN, Curry says he was able to retrieve the name, phone number, address and car details of the vehicle’s owner. He then tried to execute commands using the VIN and discovered that he could control the vehicle remotely, allowing him to lock or unlock it, start the car, and perform other functions.
Curry says he notified Sirius XM of the flaw and the company quickly patched it. In a statement to The edgecompany spokesperson Lynnsey Ross said the vulnerability was “resolved within 24 hours of the report being filed,” adding that “at no time was a subscriber or other data compromised, nor was an unauthorized account altered using this method.”
Individual, Curry discovered another flaw within the MyHyundai and MyGenesis apps that might also allow hackers to remotely hijack a vehicle, but says he’s been working with the automaker to fix the problem. In a statement shared with The edge by Hyundai spokesperson Ira Gabriel, the company confirmed that “Hyundai worked diligently with outside consultants to investigate the alleged vulnerability as soon as the researchers brought it to our attention.” It also notes that “no customer cars or accounts – for both Hyundai and Genesis – were used by others as a result of the issues raised by the investigators”, making it clear that its vehicles were not affected by the Sirius XM vulnerability.
White hat hackers have found similar exploits in the past. In 2015, a security researcher discovered an OnStar hack that allowed attackers to remotely locate a vehicle, unlock the doors, or start the car. A report came out around the same time Wired showed how a Jeep Cherokee could be remotely hacked and controlled with someone behind the wheel.
Update December 3, 5:48 PM ET: Updated to add statement from Sirius XM and Hyundai.