A flaw in the connected vehicle service SiriusXM allows remote car hacking

Researchers discovered a security flaw in the connected vehicle service SiriusXM that exposes multiple car models to remote attacks.

Cybersecurity researchers discovered a security vulnerability in the connected vehicle service provided by SiriusXM that can allow threat actors to remotely attack vehicles from multiple carmakers, including Honda, Nissan, Infiniti, and Acura.

Researcher Sam Curry shared details about his findings in a series of tweets, he demonstrated that a remote attacker can exploit the flaw in the service to unlock, start, locate, and honk a car by simply knowing the vehicle’s vehicle identification number (VIN).

Curry and his team scanned the internet to find domains owned by SiriusXM and perform reverse-engineering of the mobile apps of SiriusXM customers to figure out how the service works.

The experts began investigating the domain “http://telematics.net” handling services for enrolling vehicles in the SiriusXM remote management functionality.

The experts analyzed the NissanConnect app and reached out to some Nissan owners who signed into their accounts to inspect the HTTP traffic. It was easy to identify the format of the “customerId” parameter, which is composed of an “nissancust” prefix to the identifier along with the “Cv-Tsp” header which specified “NISSAN_17MY”. Any change to the inputs produced failure in the requests.

After hours of tests the experts noticed a format of VIN number in a HTTP responses vin:5FNRL6H82NB044273, which was similar to the “nissancust” prefix. Then the experts tried sending the VIN prefixed ID as the customerId, and it returned “200 OK” and returned a bearer token.

The experts took the authorization bearer and used it in an HTTP request to fetch the details of the user profile (name, phone number, address, and car details). The experts developed a simple python script to fetch the customer details of any VIN number.

The experts were also able to find the HTTP request to run vehicle commands.

The researcher reported their discovery to SiriusXM who immediately addressed the issue.

Curry and his team also discovered a vulnerability affecting Hyundai and Genesis vehicles that can be exploited to remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.

Hyundai also rapidly addressed the flaw

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, car hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]