Breaking

SiriusXM vulnerability allows hackers to remotely control your cars

A security vulnerability discovered in several automobiles including Infinity, Nissan, Honda and Acura allow threat actors to execute remote attacks using connected vehicle service provided by SiriusXM.

The vulnerability will allow hackers to remotely unlock, start, honk and locate any car without any authority over it using the vehicle identification numbers (VIN), as per Sam Curry’s tweet.  

SiriusXM’s connected vehicles (CV) services are the ones that is being used by several vehicles in North America, including Hyundai, Infiniti, BMW, Acura, Land Rover, Jaguar, Nissan, Subaru and Toyota.

The system is designed to enable a wide range of security, safety, convenience services including automatic crash notification, roadside assistance, remote engine start, remote door unlock, stolen car recovery assistance, navigation and integration with IoT devices.

The SiriusXM Vulnerability and how it affects the cars

The SiriusXM vulnerability relates to an authorization flaw in their telematics program that made will allow the victim’s personal data to be retrieved and then execute commands on the vehicles by transmitting a specially crafted HTTP request containing the VIN number to a SiriusXM endpoint.

Curry, the security researchers also mentioned that a different vulnerability is affecting Hyundai and Genesis vehicles that can abuse the car by remotely controlling their locks, engines, headlights, and trunks of the cars made using an email address.

By reverse engineering the MyGenesis and MyHyundai apps, inspecting API traffic, Curry found a route to manipulate the email validation process and take control of a car remotely.

He also said “By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account which bypassed the JWT and email parameter comparison check”.

SiriusXM and Hyundai have since rolled out patches to address the SiriusXM vulnerability.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.

Share the article with your friends
William Marshal

William has been one of the key contributors to 'The Cybersecurity Times' with 9.5 years of experience in the cybersecurity journalism. Apart from writing, he also like hiking, skating and coding.

Recent Posts

Best Microsoft Intune Alternatives: Top 5 MDMs to Consider

Explore the top 5 best Microsoft Intune alternatives, comparing key features, user reviews, and capabilities…

2 days ago

Top 7 Best Smartphones with Best Security Features in 2024

Discover the top 7 smartphones of 2024 with best security features, offering privacy, performance, and…

3 weeks ago

Top 11 Log Management Tools for Efficient System Management

Discover the top 11 log management tools for efficient system management and monitoring. Learn about…

2 months ago

Top 5 Threat Intelligence Tools For 2024

Explore the top 5 threat intelligence tools, their features, and how they enhance cybersecurity against…

2 months ago

Privileged Access Management: 5 Best PAM Solutions in the Market

Explore the top 5 best PAM Tools, market trends, and expert insights to secure the…

2 months ago

Apple Device Management: Top Solutions for iOS and macOS Management

Explore the top solutions for Apple Device Management including to iOS Device Management and macOS…

2 months ago