Sirius XM’s Connected Vehicle Services has fixed an authorization flaw that would have allowed an attacker to remotely unlock doors and start engines on connected cars knowing only the vehicle identification number (VIN).
Yuga Labs’ Sam Curry detailed the exploit in a series of tweets, and confirmed that the patch issued by SiriusXM fixed the security issue.
When asked about the bug, which affected Honda, Nissan, Infiniti, and Acura vehicles, a Sirius XM Connected Vehicle Services spokesperson emailed The Register the following statement:
Curry and other bug hunters found several vulnerabilities affecting different car companies earlier this year, which prompted the researchers to ask “who exactly was providing the auto manufacturers telematic services” for the different automakers.
The answer was Sirius XM, which handles connected vehicle services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.
The researchers determined that the telematics platforms used the car’s VIN, which is located on most cars’ windshield, to authorize commands and also fetch user profiles:
It returned “200 OK” and returned a bearer token! This was exciting, we were generating some token and it was indexing the arbitrary VIN as the identifier. To make sure this wasn’t related to our session JWT, we completely dropped the Authorization parameter and it still worked! pic.twitter.com/zCdCHQfCcY
— Sam Curry (@samwcyo) November 30, 2022
So as long as an attacker knew the VIN — this is easily obtained by simply walking by a car in many models — they could send requests to the telematics platform and remotely unlock, start, locate, flash the lights, and honk horns on the connected cars.
According to Curry, the team plans to publish more of their findings from the car hacking case soon. Plus, they’ve already got requests on who and what to hack next, with one Twitter user begging: “Do OnStar next plz.”
Earlier this year, security researchers discovered a different Honda bug that allowed miscreants to remotely start and unlock Civics manufactured between 2016 and 2020.
This flaw, tracked as CVE-2022-27254, was discovered by Ayyappan Rajesh, a student at University of Massachusetts Dartmouth, and someone with the handle HackingIntoYourHeart.
In their research, they thanked mentor Sam Curry and explained “various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start. This allows for an attacker to eavesdrop on the request and conduct a replay attack.” ®