From www.pcmag.com

In the era of internet-connected vehicles, newly discovered cybersecurity issues are redefining what it means to “steal” a car.

In a recent experiment by Sam Curry, a staff security engineer at Yuga Labs and self-described hacker, his team was able to tap into a vulnerability in Sirius XM software to gain remote access to vehicles using their publicly available vehicle identification numbers (VINs), The Verge reports(Opens in a new window).

Tweet(Opens in a new window)

The SiriusXM Connected Services umbrella includes infotainment and telematics systems(Opens in a new window), which are used by 15+ OEMs, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.

Vehicle applications like MyHonda or Nissan Connect(Opens in a new window) have Sirius XM integrations. So for Curry’s hacking experiment, he asked a friend for their Nissan account and logged in. This gave him access to the Nissan app to inspect its backend.

Nissan Connect

Nissan Connect app (Credit: Nissan)

Curry noticed the security system had a login loophole. It didn’t require a unique username and password to access someone’s account. Instead, Curry could enter just the VIN, which is publicly posted on the windshield of any vehicle.

The team then wrote a python script that used the VIN to execute vehicle commands, allowing them to remotely start, unlock, locate, flash the lights, and honk the horn on the car. Theoretically, a bad actor could copy down the VIN from any car in their area, plug it into the script, and unlock the vehicle to steal something inside.

Another risk also surfaced: Curry’s program accessed private customer information such as address, name, phone number, and latitude/longitude of the car. A hacker could use this information in multiple ways, including tracking the car regularly using its latitude and longitude, using its known whereabouts to plan nefarious activity on the owner’s home.

Recommended by Our Editors

“At this point, we identified that it was also possible to access customer information and run vehicle commands on Honda, Infiniti, and Acura vehicles in addition to Nissan,” Curry tweeted. “We reported the issue to SiriusXM who fixed it immediately and validated their patch.”

“At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method,” a Sirius XM spokesperson tells The Verge.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})”>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

The post Hacker Exploits Sirius XM Flaw to Remotely Unlock, Honk Horn on Cars first appeared on www.pcmag.com

New reasons to get excited everyday.



Get the latest tech news delivered right in your mailbox

Hacker Exploits Sirius XM Flaw to Remotely Unlock, Honk Horn on Cars

5 Reasons Why You Should Try Online Horse Race Betting

In many places around the world, horse races are an attraction that a lot of people love to watch. With the fast-paced action and thrill that each game provides, it is no longer surprising to know that millions of fans have grown fond of it.
Hacker Exploits Sirius XM Flaw to Remotely Unlock, Honk Horn on Cars

NordLayer — more than a business VPN

Cybersecurity threats have become vast and more sophisticated. The rate of malware attacks and malicious activity counts within seconds despite the size or sector the organization belongs to — no one is safe enough to expect that foe actors will bypass vital company resources.

Hacker Exploits Sirius XM Flaw to Remotely Unlock, Honk Horn on CarsHacker Exploits Sirius XM Flaw to Remotely Unlock, Honk Horn on Cars

You may also like

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments

More in Tech News