Yahoo Autos Hackers found a way to unlock, start cars through Sirius XM and Hyundai app vulnerability
A white hat hacker — this is essentially a good guy, ethical hacker — named Sam Curry recently uncovered some security vulnerabilities in new cars that would allow him to remotely unlock, start, locate, flash, and honk new cars from numerous manufacturers.
The good news is that the exploits Curry, a security engineer at Yuga Labs, found are already patched, and any unethical hackers wouldn’t be able to use them now. However, that doesn’t take anything away from the fact that security cracks were there beforehand, presenting a risk to those who owned potentially affected cars.
The first hack Curry detailed — he posted detailed walkthroughs on Twitter — used a vulnerability in Sirius XM’s Connected Vehicle services. Turns out, a lot of OEMs use Sirius XM’s Connected Vehicle services to provide remote services to their cars. The list of manufacturers currently using this system includes Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota. With so many companies under one roof, it’s all the more important that said roof be secure, because one way in allows a hacker access to multiple car companies at once.
More car hacking!
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
Here's how we found it, and how it works: pic.twitter.com/ul3A4sT47k — Sam Curry (@samwcyo) November 30, 2022
If you speak the language of computers and online security, we recommend you take a look through the Twitter thread from Curry just above. To greatly simplify it, all Curry needed to execute the aforementioned commands on cars using Sirius XM Connected Vehicles services was the VIN of the car. Of course, this took a lot of work to finally get to, the sort of work only experts in this field would be capable of. Curry confirmed that his hack worked on Honda, Acura, Infiniti and Nissan vehicles, but suggested it would also work with the other manufacturers using Sirius XM Connected Vehicles services, too.
We queried Sirius about this hacking activity, and the company sent us a statement in return:
“We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”
