Sirius XM flaw unlocks so-called smart cars thanks to code flaw

2022-11-30 23:30

Sirius XM's Connected Vehicle Services has fixed an authorization flaw that would have allowed an attacker to remotely unlock doors and start engines on connected cars knowing only the vehicle identification number.

Yuga Labs' Sam Curry detailed the exploit in a series of tweets, and confirmed that the patch issued by SiriusXM fixed the security issue.

"We take the security of our customers' accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method."

So as long as an attacker knew the VIN - this is easily obtained by simply walking by a car in many models - they could send requests to the telematics platform and remotely unlock, start, locate, flash the lights, and honk horns on the connected cars.

According to Curry, the team plans to publish more of their findings from the car hacking case soon.

In their research, they thanked mentor Sam Curry and explained "Various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start. This allows for an attacker to eavesdrop on the request and conduct a replay attack." .

News URL

https://go.theregister.com/feed/www.theregister.com/2022/11/30/siriusxm_connected_cars_hacking/

#CAR #smart #smartcar