SiriusXM vulnerability allows hackers to remotely control your cars

A security vulnerability discovered in several automobiles including Infinity, Nissan, Honda and Acura allow threat actors to execute remote attacks using connected vehicle service provided by SiriusXM.

The vulnerability will allow hackers to remotely unlock, start, honk and locate any car without any authority over it using the vehicle identification numbers (VIN), as per Sam Curry’s tweet.  

SiriusXM’s connected vehicles (CV) services are the ones that is being used by several vehicles in North America, including Hyundai, Infiniti, BMW, Acura, Land Rover, Jaguar, Nissan, Subaru and Toyota.

The system is designed to enable a wide range of security, safety, convenience services including automatic crash notification, roadside assistance, remote engine start, remote door unlock, stolen car recovery assistance, navigation and integration with IoT devices.

The SiriusXM Vulnerability and how it affects the cars

The SiriusXM vulnerability relates to an authorization flaw in their telematics program that made will allow the victim’s personal data to be retrieved and then execute commands on the vehicles by transmitting a specially crafted HTTP request containing the VIN number to a SiriusXM endpoint.

Curry, the security researchers also mentioned that a different vulnerability is affecting Hyundai and Genesis vehicles that can abuse the car by remotely controlling their locks, engines, headlights, and trunks of the cars made using an email address.

By reverse engineering the MyGenesis and MyHyundai apps, inspecting API traffic, Curry found a route to manipulate the email validation process and take control of a car remotely.

He also said “By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account which bypassed the JWT and email parameter comparison check”.

SiriusXM and Hyundai have since rolled out patches to address the SiriusXM vulnerability.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.