Bug bounty hunter Sam Curry discovered a vulnerability in the SiriusXM Connected Vehicle Services telematics platform that allowed him to remotely perform unauthorized tasks in smart cars such as unlocking, starting the engine, and even honking any remotely connected Honda, Nissan, Infiniti, and Acura vehicles.
All that the white hat hacker needed was to know the VIN of the car. The VIN number is often easily accessible by anyone who walks by any vehicle as it is often visible on the windshield or other parts of the cars. Additionally, VINs are sometimes included in data leaks – in 2017, the personal information of more than 10 million U.S. car owners was exposed in a massive leak of car vehicle identification numbers.
The security vulnerability in the Sirius XM telematics platform bug also allowed hackers to steal data from the targeted smart cars. The information readily available for hackers to explore includes the owner’s name and contact information, such as phone number and address. The cyber security researcher reported the bug to Sirius XM, and the vulnerability has been patched.
Gizmodo reached out to Sirius XM for a comment, and a PR representative of the American broadcasting company acknowledged the problem and confirmed the existence of the bug. The unnamed Sirius XM spokesperson told Gizmodo that the issue was resolved within 24 hours after the report was submitted. According to the statement, hackers never maliciously exploited the bug. At no point was any of their subscriber or other data compromised or any account modified using this security vulnerability.
The 22-year-old bug bounty hunter explained on Twitter that most cars with SiriusXM come equipped with the infotainment system. The system provides many conveniences, such as the ability to perform actions on the vehicle that include locking, unlocking, and locating. Anyone who can get authenticated can also remotely perform those tasks. Cybercriminals can sometimes find a way in as the information is communicated via satellite to the internet and ends up on the SiriusXM API.
Smart cars essentially are devices connected to the internet, and this is not the first time hackers have found such authentication loopholes as the one discovered by the young hacker. Kia and Hyundai are still dealing with angry customers after a TikTok challenge that demonstrated how anyone could steal some of the older models of the cars with only a USB cable and a screwdriver. While Sirius XM was able to issue an immediate patch, car manufacturers such as Kia and Hyundai had to rethink the locking system of future models.