Hackers Could Remotely Unlock, Start Honda, Nissan, Infiniti, And Acura Cars Through SiriusXM


Sirius XM has been forced to fix a security flaw that allowed hackers to remotely unlock, start, locate, flash, and honk the horn of any remotely connected Honda, Nissan, Infiniti, and Acura models.

A popular hacker by the name of Sam Curry recently uncovered the security vulnerability and detailed the process in a series of tweets.

After finding a host of vulnerabilities affecting different car companies, Curry and his team began to search for a service that was providing telematic services to all of them. It discovered that SiriusXM was used in all affected vehicles and then determined through the use of the NissanConnect app that it was possible to inspect and modify the HTTP code.

It was discovered that SiriusXM was using a vehicle’s VIN to authorize commands and fetch user profiles. Hackers uncovered owners’ names, phone numbers, addresses, and car details and were also able to run vehicle commands simply by knowing the VIN of a car.

Read: BMW Owners Have Hacked Their Cars Before And This Heated Seat Subscription Might Cause Them To Again

Soon after discovering the vulnerability, Curry and his team reported the issue to SiriusXM who quickly patched it.

“We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms,” a Sirius XM Connected Vehicle Services spokesperson told The Register. “As part of this work, a security researcher submitted a report to Sirius XM’s Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”

Curry revealed that the car manufacturers had allowed owners to authenticate data through a mobile app, such as the Nissan Connected app and the MyHonda app.

“It’s as if you had a cell phone connected to your vehicle and could receive and send text messages from the car telling it what to do or sharing the state of the car back to the sender,” Curry told Gizmodo. “In this case, they built infrastructure around the sending/receiving of this data and allowed customers to authenticate to it using some form of mobile app (whether it’s the Nissan Connected mobile app or the MyHonda app). Once the customer was logged into their account and their account had their VIN number associated to it, they could access that pipeline where they can run commands and receive data (e.g. location, speed, etc) from their vehicle.”


Source link

What is your reaction?

In Love
Not Sure

You may also like

Comments are closed.

More in:Automotive