Sirius XM has been forced to fix a security flaw that allowed hackers to remotely unlock, start, locate, flash, and honk the horn of any remotely connected Honda, Nissan, Infiniti, and Acura models.
A popular hacker by the name of Sam Curry recently uncovered the security vulnerability and detailed the process in a series of tweets.
After finding a host of vulnerabilities affecting different car companies, Curry and his team began to search for a service that was providing telematic services to all of them. It discovered that SiriusXM was used in all affected vehicles and then determined through the use of the NissanConnect app that it was possible to inspect and modify the HTTP code.
More car hacking!
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
Here’s how we found it, and how it works: pic.twitter.com/ul3A4sT47k
— Sam Curry (@samwcyo) November 30, 2022
It was discovered that SiriusXM was using a vehicle’s VIN to authorize commands and fetch user profiles. Hackers uncovered owners’ names, phone numbers, addresses, and car details and were also able to run vehicle commands simply by knowing the VIN of a car.
Read: BMW Owners Have Hacked Their Cars Before And This Heated Seat Subscription Might Cause Them To Again
Soon after discovering the vulnerability, Curry and his team reported the issue to SiriusXM who quickly patched it.
“We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms,” a Sirius XM Connected Vehicle Services spokesperson told The Register. “As part of this work, a security researcher submitted a report to Sirius XM’s Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”
It returned “200 OK” and returned a bearer token! This was exciting, we were generating some token and it was indexing the arbitrary VIN as the identifier.
To make sure this wasn’t related to our session JWT, we completely dropped the Authorization parameter and it still worked! pic.twitter.com/zCdCHQfCcY
— Sam Curry (@samwcyo) November 30, 2022
Curry revealed that the car manufacturers had allowed owners to authenticate data through a mobile app, such as the Nissan Connected app and the MyHonda app.
“It’s as if you had a cell phone connected to your vehicle and could receive and send text messages from the car telling it what to do or sharing the state of the car back to the sender,” Curry told Gizmodo. “In this case, they built infrastructure around the sending/receiving of this data and allowed customers to authenticate to it using some form of mobile app (whether it’s the Nissan Connected mobile app or the MyHonda app). Once the customer was logged into their account and their account had their VIN number associated to it, they could access that pipeline where they can run commands and receive data (e.g. location, speed, etc) from their vehicle.”