A vulnerability affecting SiriusXM’s connected vehicle services was recently uncovered – a vulnerability that, if successful, could have enabled cyber criminals to remotely start, unlock, locate, flash the lights and honk the horn on cars. Security researchers discovered the flaw and outlined their findings in a Twitter thread.
Here’s what we know.
SiriusXM’s Connected Vehicles (CV) Services is a vehicle telematics service provider designed to enable a wide range of safety, security and convenience services such as automatic crash notification, enhanced roadside assistance, remote door unlock, remote engine start, stolen vehicle recovery assistance, turn-by-turn navigation and integration with smart home devices, among others. There are more than 10 million vehicles using the service in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota.
By using a specially crafted HTTP request containing only the vehicle’s VIN number sent to telematics[.]net, researchers discovered an authorization flaw in the program that made it possible to execute commands and retrieve personal details regarding a vehicle.
Fortunately, the vulnerability was responsibly reported and patched by SirusXM prior to public disclosure. These updates should have been applied automatically.
Along with providing the convenience and comfort of being able to remotely start your vehicle or unlock your car, the integration of the internet into cars presents owners with new challenges. Automotive organizations, dealerships and owners should ensure they are keeping their vehicle’s firmware updated to patch vulnerabilities.