SiriusXM Vulnerability Allows Hackers to Remotely Unlock and Start Connected Cars
Reading Time: 2 minutes

SiriusXM vulnerability allows hackers to remotely unlock and start connected cars, according to cybersecurity researchers.

Earlier last week Sam Curry, a cybersecurity researcher in a tweet stated the vulnerability can be used to exploit cars such as Honda, Nissan, Infiniti, and Acura just by knowing the vehicle’s identification number (VIN).

More than 10 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota are currently using the SiriusXM’s Connected Vehicles (CV) Services.

SiriusXM’s Connected Vehicles offer a number of safety, security, and convenience services. It’s designed with automatic crash notification, enhanced roadside assistance, remote door unlock, remote engine start, and stolen vehicle recovery assistance. In addition, it integrates with smart home devices so you can control your car from anywhere using your phone or the touch of a button.

Security vulnerabilities have been discovered within SiriusXM’s telematics program. These vulnerabilities allow criminals to retrieve both victim’s personal information and execute commands on their vehicles by sending a specially crafted HTTP request containing the VIN number to the telematics.net endpoint.

In related news, Curry also detailed a separate vulnerability that affects Hyundai and Genesis cars. It could be used to control locks, engines, headlights, and trunks using the registered email addresses.

The team of researchers at the University of Texas, San Antonio reverse engineered the MyHyundai and MyGenesis apps. They did this to inspect the API traffic. They found a way to get around the email validation step and seize control of a target car’s functions remotely.

Curry said, “We found that we could bypass the JWT and email check by adding a CRLF character at the end of an already-existing victim’s email address when registering.”

After discovering flaws with SiriuxXM and Hyundai, they quickly rolled out patches to correct the irregularities.

Sandia National Laboratories summarized the many flaws in infrastructure powering electric vehicle charging, they found that attackers could circumvent security on an entire charger network, aim to skim credit card data and even change pricing. There are a number of known flaws in the way the infrastructure is set up.

Related Articles:
Why Encryption Alone Cannot Resolve Ransomware Attacks?
Government of the Pacific Island Nation of Vanuatu is Still Off-line
Trending TikTok ‘Invisible Challenge’ Used by Hackers to Spread Malware