Sirius XM’s Connected Vehicle Services fixed an authorization flaw that would have allowed an attacker to remotely unlock doors and start engines of connected cars if they only knew the vehicle identification number (VIN).
Yuga Labs’ Sam Curry described the exploit in a series of tweetsand confirmed that the patch released by SiriusXM fixed the security issue.
When asked about the bug, which affected Honda, Nissan, Infiniti and Acura vehicles, a spokesman for Sirius XM Connected Vehicle Services responded via email The registry the following statement:
Curry and other bug hunters found several vulnerabilities affecting various automakers earlier this year asked the researchers to ask “who exactly provided the automakers’ telematics services to the different automakers”.
The response was Sirius XM processing connected vehicle services on Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota.
The researchers found that the telematics platforms used the car’s VIN, found on the windshield of most cars, to authorize commands and also retrieve user profiles:
It returned “200 OK” and returned a bearer token! That was exciting, we generated a token and it indexed any VIN as an identifier. To make sure this wasn’t related to our session JWT, we omitted the Authorization parameter entirely and it still worked! pic.twitter.com/zCdCHQfCcY
— Sam Curry (@samwcyo) November 30, 2022
So as long as an attacker knew the VIN – which, on many models, can be easily found by simply walking past a car – they could send requests to the telematics platform and remotely unlock, start, locate, flash the lights and the Cars honk their horns.
According to Curry, the team plans to release more findings from the auto-hacking case soon. Also, they have already received requests from a Twitter user about who and what to hack next beg: “Do OnStar next please.”
Earlier this year, security researchers uncovered another Honda bug that allowed rogues to remotely start and unlock Civics made between 2016 and 2020.
This bug, traced as CVE-2022-27254, was discovered by University of Massachusetts Dartmouth student Ayyappan Rajesh and someone by the name of HackingIntoYourHeart.
In their research, they thanked mentor Sam Curry, explaining: “Various Honda vehicles broadcast the same unencrypted RF signal for every door open, door close, trunk open and remote start. This allows an attacker to eavesdrop on the request and perform a replay attack.” ®
https://www.theregister.com/2022/11/30/siriusxm_connected_cars_hacking/ Sirius XM bug unlocks smart cars thanks to code bug • The Register