App Bug Allowed Honda And Nissan Cars Hack By Knowing VIN Number

by James · March 12, 2023

As convenient as it may be to be able to control certain functions in your car using just a mobile app, you should keep in mind that with innovative technology comes the threat of hackers find vulnerabilities in it.

As it turns out, remote car apps for several automakers that allow users to start, unlock, honk and locate their car from their phones can actually be used without needing their login credentials.

Hacker, bounty hunter and staff security engineer for Yuga Labs Sam Curry published two threads on Twitter He explains his research in which he uncovered this gaping hole in the remote security system of car tags from several brands, including Nissan, Honda, Infiniti and Acura vehicles.

More car hacking!

Earlier this year, we were able to remotely unlock, start, locate, flash and honk any remotely connected Honda, Nissan, Infiniti and Acura vehicle, completely without authorization, knowing only the vehicle’s VIN number.

Here’s how we found it, and how it works: pic.twitter.com/ul3A4sT47k

— Sam Curry (@samwcyo) 30 November 2022

Curry stated that he found the vulnerability by searching the telematics platform shared by all these companies, which is provided by SiriusXM. Otherwise known for its satellite radio functionality, SiriusXM offers a Connected Vehicle Services package for other brands as well as BMW, Hyundai, Jaguar, Land Rover, Lexus, Subaru and Toyota.

According to Curry, only the vehicle identification number (VIN) was needed to authorize the data exchanged through the telematics platform, allowing any person knowing the vehicle’s VIN to perform various commands such as unlocking the door, honking, flashing the lights, or to and starting the vehicle.

When Curry tested this, he also found that he could retrieve customer details such as a customer’s name, home address, contact information and car details just by using the VIN which is visible through the windshield on the dashboard of most vehicles.

Furthermore, API calls for telematics services worked even if the user no longer had an active SiriusXM subscription. Curry also noted that he could opt-in or unregister vehicle owners from the service at will.

Curry was only able to confirm that this vulnerability existed for Nissan, Honda, Infiniti and Acura vehicles and did not cover the rest of the brands linked by the service.

On the bright side, however, you can rest assured that your car is no longer affected by the vulnerability. Before publicly disclosing his findings, Curry prepared a detailed report on the security vulnerability and presented it to the company.

He said SiriusXM had used that information to immediately patch the security issue, meaning the problem was already fixed before the news was made public.

Limited security options

In the digital age, connected cars are becoming increasingly popular. They offer a range of benefits, from remote access to fuel consumption monitoring and more. But for car owners who use apps to manage their vehicles, there are also potential security risks to deal with.

The security of a vulnerable app is in the hands of its developers and owners, and only they can issue security updates and patches to fix the problem. This means that users have limited and traditional options to go with. Here are a few steps you can take to protect your car from hackers and other cyber threats when using applications.

For starters, don’t share your car’s VIN numbers with untrusted third parties, make sure you use unique passwords for each app associated with your vehicle. Strong passwords that combine letters, numbers, and symbols can help protect valuable data stored in the connected cloud networks used by these apps.

Additionally, users should regularly update their systems with any new security updates released by their chosen app vendor – these updates help keep hackers out of their car’s system.