SiriusXM Vulnerability Allows Cyber Criminals to Remotely Unlock and Start Cars: What You Need to Know

A vulnerability affecting SiriusXM’s connected vehicle services was recently uncovered – a vulnerability that, if successful, could have enabled cyber criminals to remotely start, unlock, locate, flash the lights and honk the horn on cars. Security researchers discovered the flaw and outlined their findings in a Twitter thread.

Here’s what we know.

What’s going on?

SiriusXM’s Connected Vehicles (CV) Services is a vehicle telematics service provider designed to enable a wide range of safety, security and convenience services such as automatic crash notification, enhanced roadside assistance, remote door unlock, remote engine start, stolen vehicle recovery assistance, turn-by-turn navigation and integration with smart home devices, among others. There are more than 10 million vehicles using the service in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota.

By using a specially crafted HTTP request containing only the vehicle’s VIN number sent to telematics[.]net, researchers discovered an authorization flaw in the program that made it possible to execute commands and retrieve personal details regarding a vehicle.

What was the impact of the vulnerability?

Fortunately, the vulnerability was responsibly reported and patched by SirusXM prior to public disclosure. These updates should have been applied automatically.

What should I do?

Along with providing the convenience and comfort of being able to remotely start your vehicle or unlock your car, the integration of the internet into cars presents owners with new challenges. Automotive organizations, dealerships and owners should ensure they are keeping their vehicle’s firmware updated to patch vulnerabilities.

  • Maintain your vehicle’s updates. While it may differ between specific manufacturers, most vehicles provide Over-The-Air (OTA) updates to push updates.
  • Monitor your vehicle for manufacturers’ recalls and follow the guidance provided.
  • Ensure when receiving service from your dealership to ask if your vehicle has any required firmware updates.

Have you registered for our next event?