How Researchers Easily Hacked Several Different Vehicles Using a Sirius XM Bug
How is a vehicle hacked? Through its infotainment system, according to recently published research
According to recently published research, a number of well-known automakers, including Honda, Nissan, Infiniti, and Acura, were vulnerable to a previously unknown security flaw that might have enabled a cunning hacker to commandeer vehicles and steal customer data.
Researchers claim that a bug in the Sirius XM telematics infrastructure of the car would have allowed a hacker to remotely locate a vehicle, unlock and start it, flash the lights, honk the horn, open the trunk, and access private customer information like the owner’s name, phone number, address, and vehicle specifics.
The flaw was found by a team of security experts who were looking into problems involving significant automakers. Sam Curry, a 22-year-old cyber specialist who is a member of the research team, said that he and his buddies were interested in the kinds of issues that would arise if they looked into the providers of so-called “telematic services” for automakers.
The majority of contemporary automobiles are essentially web-connected computers on wheels, even if you don’t own a Tesla. Cars are more handy and adaptable than ever thanks to the inflow and outflow of vehicle data, or telematics, but they are also more susceptible to hacker attacks and remote hijacking. Car manufacturers have been known to sell vehicle data to surveillance vendors, who then do creepy things like sell it to government agencies, making the telematics industry a huge privacy risk.
Curry and his colleagues found an authentication flaw inside Sirius XM infrastructure after digging around in code connected to several automotive apps. The infotainment systems in most cars contain Sirius, which offers associated telematic services to most automakers. According to Curry, SiriusXM is “bundled with the [vehicle’s] infotainment system which has the capability to perform actions on the [vehicle] (lock/unlock, etc.) and communicates via satellite to the internet to the SiriusXM API” in the majority of cars.
Individual vehicles are sending and receiving commands and data to Sirius, which means that under the right circumstances, information might be intercepted.
“It’s as if you had a cell phone connected to your vehicle and could receive and send text messages from the car telling it what to do or sharing the state of the car back to the sender,” Curry said. “In this case, they built infrastructure around the sending/receiving of this data and allowed customers to authenticate to it using some form of mobile app (whether it’s the Nissan Connected mobile app or the MyHonda app). Once the customer was logged into their account and their account had their VIN number associated to it, they could access that pipeline where they can run commands and receive data (e.g. location, speed, etc) from their vehicle.”
By exploiting an authentication flaw in Sirius XM’s system, a cybercriminal could have hijacked the car, as well as the associated customer account information, Curry explained.
“We continued to escalate this and found the HTTP request to run vehicle commands,” Curry said, explaining how deep the hack went. “We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim’s VIN number, something that was on the windshield.”
When reached for comment, Sirius XM acknowledged the issue and provided Gizmodo with the following comment:
“A security researcher submitted a [bug bounty] report to Sirius XM’s Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”
Suffice it to say, these days it might be safer to pal around in a beat-up junker than your souped up electric vehicle. At least your 1979 Ford Pinto didn’t have hijack-able computer systems that could run you off the road.
Suggest an edit to this article
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated...
I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK.
I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!
