A Sirius XM bug could have allowed remote car unlocking and starting.

Posted on

A bug in Sirius XM’s connected vehicle services could have allowed for remote car start-up, unlocking, location, and lighting control as well as horn activation. The flaw was found by a team of security researchers led by Sam Curry, a security engineer at Yuga Labs, who detailed their findings in a thread on Twitter.

The telematics and infotainment systems used by a number of automakers, including Acura, BMW, Honda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, are powered by Sirius XM in addition to offering a satellite radio subscription. These devices gather a ton of easily overlooked data about your car, which may have repercussions for your privacy. A Vice report from the previous year brought to light a spy company called Ulysses that had amassed and intended to sell the US government over 15 billion telematics-based car locations.

While some infotainment systems collect data on your car’s GPS location, speed, turn-by-turn directions, and maintenance needs, others track call logs, voice commands, text messages, and other data. Vehicles can now offer “smart” features like automated crash detection, remote engine starting, stolen vehicle alerts, navigation, and the capability to lock or unlock your vehicle from a distance thanks to all of this data. All of these features are available from Sirius XM, which also claims that over 12 million vehicles on the road use its connected vehicle systems.

But as Curry shows, if the right precautions aren’t in place, evil actors can use this system. Curry claims that Sirius XM “built infrastructure around the sending and receiving of this data and allowed customers to authenticate to it using some type of mobile app,” like MyHonda or Nissan Connected. To issue commands and access information about their cars, users can log into their accounts on these apps, which are connected to their vehicle’s VIN number.

Curry notes that because Sirius XM uses the VIN number associated with a person’s account to transport information and instructions between the app and its servers, this technique might allow unauthorized parties access to a person’s car. Curry claims he was able to get the name, phone number, address, and automobile information of the vehicle owner by making an HTTP request to acquire a user’s profile with the VIN. Then he experimented with issuing commands using the VIN and found that he could remotely control the car, enabling him to lock or unlock it, start the car, and carry out other operations.

Curry claims that after informing Sirius XM of the problem, the firm fixed it right away. The vulnerability “was addressed within 24 hours after the complaint was filed,” business spokesperson Lynnsey Ross said in a statement to The Verge, adding that “at no point was any subscriber or other data exposed or was any unauthorized account edited utilizing this approach.”

Similar exploits have been discovered in the past by white hat hackers. A security researcher discovered an OnStar exploit in 2015 that might have allowed criminals to remotely locate vehicles, unlock their doors, or even start the vehicle. At the same time, a Wired article demonstrated how a Jeep Cherokee could be remotely exploited and controlled while someone was behind the wheel.