Researchers in the field of cybersecurity have identified a security flaw that makes vehicles made by Honda, Nissan, Infiniti, and Acura vulnerable to remote cyberattacks via a connected vehicle service offered by SiriusXM.
Last week, researcher Sam Curry mentioned on Twitter that the flaw could be used to illegally unlock, start, locate, and horn any automobile only by knowing the vehicle identification number (VIN). More than 10 million cars in North America, including models from Acura, Honda, Jaguar, BMW, Hyundai, Nissan, Infiniti, Land Rover, Toyota, Subaru, and Lexus, are supposed to use SiriusXM’s Connected Vehicles (CV) Services.
The system is made to enable multiple convenience, safety, and security, including turn-by-turn navigation, remote door unlocking, automatic crash notification, integration with smart home devices, assistance with recovering stolen vehicles, enhanced roadside assistance, and remote engine starting. The vulnerability is related to an authorization problem in a telematics application that enabled remote attackers to take control of impacted vehicles and collect victims’ personal information by submitting a specially crafted HTTP request with the VIN to a SiriusXM endpoint (“telematics.net”).
Curry also discussed a different vulnerability affecting Hyundai and Genesis automobiles that could be used to remotely manipulate the locks, engines, headlights, and trunks of vehicles manufactured after 2012 by exploiting the registered email addresses. The researchers discovered a technique to skip the email validation stage and remotely take over a target car’s functionalities by reverse engineering the MyHyundai and MyGenesis applications and looking at the API traffic.
“By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account which bypassed the JWT and email parameter comparison check,” Curry clarified.
Since then, patches have been released by SiriusXM and Hyundai to fix the issues. The information was discovered while Sandia National Laboratories compiled a list of known security holes in the infrastructure supporting electric vehicle (EV) charging that could be used to steal credit card information, change prices, or even take over an entire network of EV chargers.