Cybersecurity researchers have discovered a security vulnerability that exposes cars from Honda, Nissan, Infiniti and Acura to external attacks through a connected vehicle service provided by SiriusXM.
The problem could be exploited to unlock, start, locate and honk any car in an unauthorized way just by knowing the vehicle’s vehicle identification number (VIN), researcher Sam Curry said in a Twitter thread last week.
SiriusXM’s Connected Vehicles (CV) services are said to be used by more than 10 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota.
The system is designed to enable a wide range of safety, security and convenience services such as automatic collision warning, enhanced roadside assistance, remote door locking, remote engine start, stolen vehicle recovery assistance, turn-by-turn navigation and integration with smart home devices, among others.
The vulnerability is linked to an authorization flaw in a telematics program that made it possible to retrieve a victim’s personal details as well as execute commands on the vehicles by sending a specially crafted HTTP request containing the VIN number to a SiriusXM endpoint (“telematics.net”).
In a related development, so does Curry detailed a separate vulnerability affecting Hyundai and Genesis vehicles that can be abused to remotely control the locks, engines, headlights and trunk of the vehicles made after 2012 using the registered email addresses.
By reverse engineering the MyHyundai and MyGenesis apps and inspecting the API traffic, the researchers found a way to bypass the email validation step and take control of a target car’s functions remotely.
“By appending a CRLF character to the end of a pre-existing email address for a victim during registration, we were able to create an account that bypassed the JWT and email parameter comparison,” Curry explained.
SiriusXM and Hyundai have since rolled out updates to address the bugs.
The findings come as Sandia National Laboratories summarized a number of known flaws in the infrastructure that powers electric vehicle (EV) charging, which can be exploited to skim credit card data, change prices and even hijack an entire EV charging network.