Skip to content
RealinfoSec.net

RealinfoSec.net

InfoSec News, Cybersecurity Awareness

  • Home
  • InfoSec News
    • Data Breach News
    • Latest Vulnerabilities
  • What Is InfoSec
  • CyberSecurity Newsletter
  • Cyber Academy
  • Cyber Help Desk
  • Cyber Knowledge Base
  • Contact Us
    • Contribute
  • My Bookmarks
  • Subscribers
    • Knowledge Quizzes
    • Register
  • Login
    • Password Reset
  • Register
  • Privacy Policy
    • Legal
  • Toggle search form
How Researchers Easily Hacked Several Different Vehicles Using a Sirius XM Bug

How Researchers Easily Hacked Several Different Vehicles Using a Sirius XM Bug

Posted on 1 December 20221 December 2022 By RiSec.n0tst3 No Comments on How Researchers Easily Hacked Several Different Vehicles Using a Sirius XM Bug

How is a vehicle hacked? Through its infotainment system, according to recently published research

According to recently published research, a number of well-known automakers, including Honda, Nissan, Infiniti, and Acura, were vulnerable to a previously unknown security flaw that might have enabled a cunning hacker to commandeer vehicles and steal customer data.

Researchers claim that a bug in the Sirius XM telematics infrastructure of the car would have allowed a hacker to remotely locate a vehicle, unlock and start it, flash the lights, honk the horn, open the trunk, and access private customer information like the owner’s name, phone number, address, and vehicle specifics.

The flaw was found by a team of security experts who were looking into problems involving significant automakers. Sam Curry, a 22-year-old cyber specialist who is a member of the research team, said that he and his buddies were interested in the kinds of issues that would arise if they looked into the providers of so-called “telematic services” for automakers.

The majority of contemporary automobiles are essentially web-connected computers on wheels, even if you don’t own a Tesla. Cars are more handy and adaptable than ever thanks to the inflow and outflow of vehicle data, or telematics, but they are also more susceptible to hacker attacks and remote hijacking. Car manufacturers have been known to sell vehicle data to surveillance vendors, who then do creepy things like sell it to government agencies, making the telematics industry a huge privacy risk.

Curry and his colleagues found an authentication flaw inside Sirius XM infrastructure after digging around in code connected to several automotive apps. The infotainment systems in most cars contain Sirius, which offers associated telematic services to most automakers. According to Curry, SiriusXM is “bundled with the [vehicle’s] infotainment system which has the capability to perform actions on the [vehicle] (lock/unlock, etc.) and communicates via satellite to the internet to the SiriusXM API” in the majority of cars.

Recommended:  Female athletes hacked in 'reprehensible' naked photo leak

Individual vehicles are sending and receiving commands and data to Sirius, which means that under the right circumstances, information might be intercepted.

“It’s as if you had a cell phone connected to your vehicle and could receive and send text messages from the car telling it what to do or sharing the state of the car back to the sender,” Curry said. “In this case, they built infrastructure around the sending/receiving of this data and allowed customers to authenticate to it using some form of mobile app (whether it’s the Nissan Connected mobile app or the MyHonda app). Once the customer was logged into their account and their account had their VIN number associated to it, they could access that pipeline where they can run commands and receive data (e.g. location, speed, etc) from their vehicle.”

By exploiting an authentication flaw in Sirius XM’s system, a cybercriminal could have hijacked the car, as well as the associated customer account information, Curry explained.

“We continued to escalate this and found the HTTP request to run vehicle commands,” Curry said, explaining how deep the hack went. “We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim’s VIN number, something that was on the windshield.”

When reached for comment, Sirius XM acknowledged the issue and provided Gizmodo with the following comment:

“A security researcher submitted a [bug bounty] report to Sirius XM’s Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”

Suffice it to say, these days it might be safer to pal around in a beat-up junker than your souped up electric vehicle. At least your 1979 Ford Pinto didn’t have hijack-able computer systems that could run you off the road.

Recommended:  Linux full-disk encryption bug fixed – patch now!

Suggest an edit to this article

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark

Please login to bookmark

Social Comments Box
  • About
  • Latest Posts
RiSec.n0tst3
Connect
RiSec.n0tst3
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK.

I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated...

I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK.

I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!
RiSec.n0tst3
Connect
Latest posts by RiSec.n0tst3 (see all)
  • JD Sports:Cyber Attack affects 10 million customers - 30 January 2023
  • InfoSec – A Newbie Guide – InfoSecurity - 25 January 2023
  • Apple is accused of censoring apps in Hong Kong and Russia - 22 December 2022
Share the word, let's increase Cybersecurity Awareness as we know it

No related articles.

InfoSec News, Trending Tags:hacked, Vehicle

Post navigation

Previous Post: Most Organizations Still Vulnerable To Year-Old Log4j Vulnerability
Next Post: Nvidia patches 29 GPU driver bugs that could lead to code execution, device takeover

Related Posts

UK anti-fraud efforts have failed and need ‘wholesale change,’ lawmakers say InfoSec News
image 13 SaltStack Salt REST API Arbitrary Command Execution Exploit InfoSec News
data breach CommonSpirit says 623K patients are affected by the data compromise Data Breach News
data breach Broward Health warns 1.3 million patients, staff of Data Breach Data Breach News
anonymous Anonymous #OpRussia Thousands of Sites Hacked, Data Leaks and More InfoSec News
google Google Offering $91,000 Rewards for Linux Kernel, GKE Zero-Days InfoSec News

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

RiSec Captcha 9 + 1 =

AbuseIPDB Contributor Badge

Follow Our Socials:

Latest InfoSec News

Data Breach News InfoSec News

JD Sports: Cyber Attack affects 10 million customers

RiSec.n0tst3
30 January 2023 0
what is infosec
Cybersecurity Academy

InfoSec – A Newbie Guide – InfoSecurity

RiSec.n0tst3
25 January 2023 0
google
Cybersecurity Academy How to

Google Open-Source Vulnerability Scanning Tool

RiSec.Mitch
18 January 2023 0
InfoSec News

Polymorphic Malware Produced by ChatGPT

RiSec.Mitch
18 January 2023 0
russia
InfoSec News

Russian Hackers Repurpose Decade-Old Malware Infrastructure to Deploy New Backdoors

RiSec.Mitch
8 January 2023 0
latest cybersecurity news
InfoSec News

Dridex Banking Malware Targets MacOS users with a new delivery method

RiSec.Mitch
8 January 2023 0
ransomware
InfoSec News

Microsoft Discloses Methods Employed by 4 Ransomware Families Aiming at macOS

RiSec.Mitch
8 January 2023 0
InfoSec News

$8 billion in cryptocurrency withdrawals strike US bank Silvergate

RiSec.Mitch
8 January 2023 0

Featured Posts

cve-2022-38970
Data Security Featured How to InfoSec News Vulnerabilities

ieGeek Security Vulnerabilities still prevalent in 2022 IG20

RiSec.n0tst3
28 August 2022 6
Data Security Featured InfoSec News

Hacking Campaign Steals 10,000 Login Credentials From 130 Different Organizations

RiSec.n0tst3
27 August 2022 0
DDoS
Featured InfoSec News

Google mitigates largest DDoS Attack in History – Peaked at 46 Million RPS

RiSec.n0tst3
19 August 2022 1
Security researcher contacted me
Cybersecurity Academy Featured How to

A Security Researcher Contacted Me – What should I do?

RiSec.n0tst3
30 June 2022 0
google chrome
Featured InfoSec News

Google Chrome extensions can be easily fingerprinted to track you online

RiSec.n0tst3
19 June 2022 0
MFA
Cybersecurity Academy Data Security Featured

3 Steps To Better Account Security

RiSec.n0tst3
21 February 2022 0
hardening vps security
Cybersecurity Academy Featured

HARDEN YOUR VPS: Steps to Hardening your VPS Security

RiSec.n0tst3
10 January 2022 2

Share the joy

Copyright © 2022 RealinfoSec.net. CyberSecurity News & Awareness. All Trademarks, Logos And Brand Names Are The Property Of Their Respective Owners

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of the cookies. Cookie & Privacy Policy
Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
en English
af Afrikaanssq Albanianam Amharicar Arabichy Armenianaz Azerbaijanieu Basquebe Belarusianbn Bengalibs Bosnianbg Bulgarianca Catalanceb Cebuanony Chichewazh-CN Chinese (Simplified)zh-TW Chinese (Traditional)co Corsicanhr Croatiancs Czechda Danishnl Dutchen Englisheo Esperantoet Estoniantl Filipinofi Finnishfr Frenchfy Frisiangl Galicianka Georgiande Germanel Greekgu Gujaratiht Haitian Creoleha Hausahaw Hawaiianiw Hebrewhi Hindihmn Hmonghu Hungarianis Icelandicig Igboid Indonesianga Irishit Italianja Japanesejw Javanesekn Kannadakk Kazakhkm Khmerko Koreanku Kurdish (Kurmanji)ky Kyrgyzlo Laola Latinlv Latvianlt Lithuanianlb Luxembourgishmk Macedonianmg Malagasyms Malayml Malayalammt Maltesemi Maorimr Marathimn Mongolianmy Myanmar (Burmese)ne Nepalino Norwegianps Pashtofa Persianpl Polishpt Portuguesepa Punjabiro Romanianru Russiansm Samoangd Scottish Gaelicsr Serbianst Sesothosn Shonasd Sindhisi Sinhalask Slovaksl Slovenianso Somalies Spanishsu Sudanesesw Swahilisv Swedishtg Tajikta Tamilte Teluguth Thaitr Turkishuk Ukrainianur Urduuz Uzbekvi Vietnamesecy Welshxh Xhosayi Yiddishyo Yorubazu Zulu