Hackers Could Remotely Unlock and Start Connected Cars Through SiriusXM Vulnerability

Vehicle telematics passed through the service allowed researchers with a car's VIN to control key functions.
SiriusXM Connected Vehicle Services HondaLink
via Honda, SiriusXM

It’s strange to think about how many devices talk over the internet in 2022. Your fridge, your toothbrush, and your coffee maker are just a few basic household appliances that are connected to the cloud for convenience’s sake. And whether you realize it or not, that brand-new car tucked away in your garage might be as well.

Security researchers like Yuga Labs’ Sam Curry have a particular interest in these connected cars. They want to hack them before bad actors find their way in. After a vigorous amount of sleuthing, Curry was able to find a vulnerability in connected Honda, Acura, Nissan, and Infiniti vehicles which allowed him to control features like unlocking doors and remotely starting engines.

Curry was able to locate the vulnerability by targeting a shared telematics platform offered by SiriusXM. In case you weren’t aware, SiriusXM—yes, the satellite radio company—offers a Connected Vehicle Services package that automakers can use to provide remote functionality without additional equipment.

The data exchanged by the telematics platform simply used the vehicle identification number (VIN) as the method to authorize commands. This means that if an attacker knew a vehicle’s VIN, they could send a specially-crafted message to the telematics platform and carry out a myriad of different commands, like unlocking the door, honking the horn, flashing the lights, or even starting the vehicle (though driving off without a key is very unlikely).

Curry validated this by capturing the traffic between an automaker’s mobile app and the telematics platform with Burp Suite. He then modified parameters with a completely different VIN to replay unique commands to other vehicles. What’s more is that he could also fetch customer details using only the VIN, making it possible to get a customer’s home address and contact information using the unique number visible from the outside of the windshield.

While Curry was only able to confirm that the vulnerability existed for Honda, Acura, Nissan, and Infiniti, that doesn’t cover all of the brands linked together by the service. SiriusXM says that it provides connected services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota. But before you freak out and wonder if your vehicle is affected, I’ve got good news: it’s not.

One way of properly reporting a vulnerability is by using a process called responsible disclosure. This is where bug bounty hunters like Curry assemble a detailed report of a security vulnerability and present it to a company before going public with it. This presents an opportunity for the company to patch the bug before it’s publicly disclosed, as well as provide a potential financial incentive for hackers to find and report these vulnerabilities rather than simply exploit or sell them to the highest bidder. Sometimes, companies don’t take these reports seriously and security researchers publish the findings anyway to strongarm them into fixing the problems. However, Curry says that SiriusXM was able to use the information to immediately patch the vulnerability.

Got a tip or question for the author? Contact them directly: rob@thedrive.com