This article is more than 1 year old

Sirius XM flaw unlocks so-called smart cars thanks to code flaw

Telematics program doesn't just give you music, but a big security flaw

Sirius XM's Connected Vehicle Services has fixed an authorization flaw that would have allowed an attacker to remotely unlock doors and start engines on connected cars knowing only the vehicle identification number (VIN).

Yuga Labs' Sam Curry detailed the exploit in a series of tweets, and confirmed that the patch issued by SiriusXM fixed the security issue.

When asked about the bug, which affected Honda, Nissan, Infiniti, and Acura vehicles, a Sirius XM Connected Vehicle Services spokesperson emailed The Register the following statement:

"We take the security of our customers' accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method."

Curry and other bug hunters found several vulnerabilities affecting different car companies earlier this year, which prompted the researchers to ask "who exactly was providing the auto manufacturers telematic services" for the different automakers.

The answer was Sirius XM, which handles connected vehicle services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.

The researchers determined that the telematics platforms used the car's VIN, which is located on most cars' windshield, to authorize commands and also fetch user profiles:

So as long as an attacker knew the VIN — this is easily obtained by simply walking by a car in many models — they could send requests to the telematics platform and remotely unlock, start, locate, flash the lights, and honk horns on the connected cars. 

According to Curry, the team plans to publish more of their findings from the car hacking case soon. Plus, they've already got requests on who and what to hack next, with one Twitter user begging: "Do OnStar next plz."

Earlier this year, security researchers discovered a different Honda bug that allowed miscreants to remotely start and unlock Civics manufactured between 2016 and 2020. 

This flaw, tracked as CVE-2022-27254, was discovered by Ayyappan Rajesh, a student at University of Massachusetts Dartmouth, and someone with the handle HackingIntoYourHeart. 

In their research, they thanked mentor Sam Curry and explained "various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start. This allows for an attacker to eavesdrop on the request and conduct a replay attack." ®

More about


Send us news

Other stories you might like