Sirius XM flaw unlocks so-called smart cars thanks to code flaw
Telematics program doesn't just give you music, but a big security flaw
Sirius XM's Connected Vehicle Services has fixed an authorization flaw that would have allowed an attacker to remotely unlock doors and start engines on connected cars knowing only the vehicle identification number (VIN).
Yuga Labs' Sam Curry detailed the exploit in a series of tweets, and confirmed that the patch issued by SiriusXM fixed the security issue.
When asked about the bug, which affected Honda, Nissan, Infiniti, and Acura vehicles, a Sirius XM Connected Vehicle Services spokesperson emailed The Register the following statement:
"We take the security of our customers' accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method."
Curry and other bug hunters found several vulnerabilities affecting different car companies earlier this year, which prompted the researchers to ask "who exactly was providing the auto manufacturers telematic services" for the different automakers.
The answer was Sirius XM, which handles connected vehicle services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.
The researchers determined that the telematics platforms used the car's VIN, which is located on most cars' windshield, to authorize commands and also fetch user profiles:
It returned "200 OK" and returned a bearer token! This was exciting, we were generating some token and it was indexing the arbitrary VIN as the identifier. To make sure this wasn't related to our session JWT, we completely dropped the Authorization parameter and it still worked! pic.twitter.com/zCdCHQfCcY— Sam Curry (@samwcyo) November 30, 2022
So as long as an attacker knew the VIN — this is easily obtained by simply walking by a car in many models — they could send requests to the telematics platform and remotely unlock, start, locate, flash the lights, and honk horns on the connected cars.
According to Curry, the team plans to publish more of their findings from the car hacking case soon. Plus, they've already got requests on who and what to hack next, with one Twitter user begging: "Do OnStar next plz."
- Cops swoop after crooks use wireless keyfob hack to steal cars
- Japanese giants to offer security-as-a-service for connected cars
- Hackers remotely start, unlock Honda Civics with $300 tech
- OpenSSL downgrades horror bug after week of panic, hype
Earlier this year, security researchers discovered a different Honda bug that allowed miscreants to remotely start and unlock Civics manufactured between 2016 and 2020.
This flaw, tracked as CVE-2022-27254, was discovered by Ayyappan Rajesh, a student at University of Massachusetts Dartmouth, and someone with the handle HackingIntoYourHeart.
In their research, they thanked mentor Sam Curry and explained "various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start. This allows for an attacker to eavesdrop on the request and conduct a replay attack." ®