Sam Curry could lock, unlock, and remotely start affected vehicles.
A cybersecurity expert has uncovered a vulnerability in connected vehicles from popular brands like Honda, Acura, Infiniti, and Nissan.
Sam Curry, a well-known bug bounty hunter, could remotely start engines, operate door locks, and, shockingly, locate vehicles. He took to Twitter to explain how this shocking flaw was uncovered - and it's got to do with SiriusXM Connected Vehicle Services.
The company enables manufacturers to offer consumers remote functionality. However, the platform's data exchange utilizes the VIN to authorize remote instructions. The risks are plain to see: A motivated hacker with enough knowledge could target unassuming individuals by unlocking the vehicle, starting the engine, and getting a fellow criminal to drive off with the car.
This would be entirely possible, as Curry's assessment also showed it was possible to get hold of private information, like home addresses. He wrote, "We took the authorization bearer and used it in an HTTP request to fetch the user profile. It worked!"
"The response contained the victim's name, phone number, address, and car details. At this point, we made a simple python script to fetch the customer details of any VIN number," added Curry.
Curry was only able to find this worrying vulnerability for the brands mentioned earlier but notes the service is also used by BMW, Hyundai, Jaguar, Land Rover, Lexus, and Toyota. So, if you drive a Honda Civic or a top-of-the-range Infiniti, is your vehicle at risk of being hacked? Hopefully not.
"We reported the issue to SiriusXM, who fixed it immediately and validated their patch," concluded Curry.
A spokesperson from SiriusXM Connect Vehicle Services said, "we take the security of our customers' accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. A security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program."
"The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method," he added.
Connected cars provide owners with more convenience, which is lovely, but some risks come with this technology. Earlier this year, hackers were able to remotely start Honda vehicles by exploiting the keyless-entry system.
Simply transmitting the correct authentication codes between the key fob and the car enables the hacker to start the vehicle and, theoretically, drive away with it. Similarly, a German security expert purported to have remote control over no less than 25 Teslas. The ethical hacker claimed he could open the doors and windows, check the vehicle's location, and even disable the Sentry Mode feature.
This increase in hacking attempts and obvious vulnerabilities has led the NHTSA to release new guidelines on vehicle cybersecurity. "Cybersecurity needs to be a top priority for every automaker, developer, and operator," said a representative at the time.