SiriusXM Weakness Allows Cybercriminals to Unlock and Start Connected Cars Remotely

SiriusXM Weakness Allows Cybercriminals to Unlock and Start Connected Cars Remotely

Researchers in the field of cybersecurity have identified a security flaw that makes vehicles made by Honda, Nissan, Infiniti, and Acura vulnerable to remote cyberattacks via a connected vehicle service offered by SiriusXM. 

Last week, researcher Sam Curry mentioned on Twitter that the flaw could be used to illegally unlock, start, locate, and horn any automobile only by knowing the vehicle identification number (VIN). More than 10 million cars in North America, including models from Acura, Honda, Jaguar, BMW, Hyundai, Nissan, Infiniti, Land Rover, Toyota, Subaru, and Lexus, are supposed to use SiriusXM’s Connected Vehicles (CV) Services.

The system is made to enable multiple convenience, safety, and security, including turn-by-turn navigation, remote door unlocking, automatic crash notification, integration with smart home devices, assistance with recovering stolen vehicles, enhanced roadside assistance, and remote engine starting. The vulnerability is related to an authorization problem in a telematics application that enabled remote attackers to take control of impacted vehicles and collect victims’ personal information by submitting a specially crafted HTTP request with the VIN to a SiriusXM endpoint (“telematics.net”).

Curry also discussed a different vulnerability affecting Hyundai and Genesis automobiles that could be used to remotely manipulate the locks, engines, headlights, and trunks of vehicles manufactured after 2012 by exploiting the registered email addresses. The researchers discovered a technique to skip the email validation stage and remotely take over a target car’s functionalities by reverse engineering the MyHyundai and MyGenesis applications and looking at the API traffic.

“By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account which bypassed the JWT and email parameter comparison check,” Curry clarified.

Since then, patches have been released by SiriusXM and Hyundai to fix the issues. The information was discovered while Sandia National Laboratories compiled a list of known security holes in the infrastructure supporting electric vehicle (EV) charging that could be used to steal credit card information, change prices, or even take over an entire network of EV chargers.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: