Sirius XM flaw could’ve let hackers remotely unlock and start cars

A vulnerability affecting Sirius XM’s connected vehicle services could’ve let hackers remotely start, unlock, locate, flash the lights, and honk the horn on cars. Sam Curry, a security engineer at Yuga Labs, worked with a group of security researchers to discover the flaw and outlined their findings in a thread on Twitter (via Gizmodo).

In addition to providing a satellite radio subscription, Sirius XM also powers the telematics and infotainment systems used by a number of auto manufacturers, including Acura, BMW, Honda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota. These systems collect a whole lot of information about your car that’s easy to overlook — and could pose potential privacy implications. Last year, a report from Vice called attention to a spy firm, called Ulysses, which collected and planned to sell over 15 billion telematics-based car locations to the US government.

While telematics systems obtain data about your car’s GPS location, speed, turn-by-turn navigation, and maintenance requirements, certain infotainment setups might track call logs, voice commands, text messages, and more. All of this data allows vehicles to provide “smart” features, like automatic crash detection, remote engine start, stolen vehicle alerts, navigation, and the ability to remotely lock or unlock your car. Sirius XM offers all these features and more, and says over 12 million vehicles on the road use its connected vehicle systems.

However, as Curry demonstrates, bad actors can take advantage of this system if the proper safeguards aren’t in place. In a statement to Gizmodo, Curry says Sirius XM “built infrastructure around the sending/receiving of this data and allowed customers to authenticate to it using some form of mobile app,” like MyHonda or Nissan Connected. Users can log into their accounts on these apps, which are linked to their vehicle’s VIN number, to execute commands and obtain information about their cars.

It’s this system that could give bad actors access to someone’s car, Curry explains, as Sirius XM uses the VIN number linked with a person’s account to relay information and commands between the app and its servers. By creating an HTTP request to fetch a user’s profile with the VIN, Curry says he was able to obtain the vehicle owner’s name, phone number, address, and car details. He then tried executing commands using the VIN and discovered that he could remotely control the vehicle, allowing him to lock or unlock it, start the car, and perform other functions.

Curry says he alerted Sirius XM of the flaw and that the company quickly patched it. In a statement to The Verge, company spokesperson Lynnsey Ross said the vulnerability “was resolved within 24 hours after the report was submitted,” adding that “at no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”

Separately, Curry uncovered another flaw within the MyHyundai and MyGenesis apps that could also potentially let hackers remotely hijack a vehicle, but says he worked with the automaker to fix the issue. In a statement shared with The Verge by Hyundai spokesperson Ira Gabriel, the company confirmed that “Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention.” It also notes that “no customer vehicles or accounts — for either Hyundai or Genesis — were accessed by others as a result of the issues raised by the researchers,” and makes it clear that its vehicles weren’t affected by the Sirius XM vulnerability.

White hat hackers have found similar exploits in the past. In 2015, a security researcher uncovered an OnStar hack that could’ve let bad actors locate a vehicle remotely, unlock its doors, or start the car. Around the same time, a report from Wired showed how a Jeep Cherokee could be remotely hacked and controlled with someone at the wheel.