Studies on self-driving cars discovered a Sirius XM bug that causes a huge security flaw.
According to recently published research, several well-known automakers, including Honda, Nissan, Infiniti, and Acura, were vulnerable to a previously unknown security flaw that might have enabled a smart hacker to take over vehicles and steal customer data using a bug in satellite radio Sirius XM.
Researchers claim that a bug in the Sirius XM telematics infrastructure of the car would have allowed a hacker to remotely locate a vehicle, unlock and start it, flash the lights, honk the horn, open the trunk, and access private customer information like the owner’s name, phone number, address, and vehicle specifics.
Why is the Sirius XM bug dangerous?
The majority of contemporary automobiles are essentially web-connected computers on wheels, even if you don’t own a Tesla. Cars are more handy and adaptable than ever thanks to the inflow and outflow of vehicle data or telematics, but they are also more susceptible to hacker attacks and remote hijacking.
Car manufacturers have been known to sell vehicle data to surveillance vendors, who then do strange things like sell it to government agencies, making the telematics sector a huge privacy risk.
The flaw was found by a team of security experts who were looking into problems involving significant automakers. Sam Curry, a 22-year-old cyber security specialist who is a member of the research team, said that he and his buddies were interested in the kinds of issues that would arise if they looked into the providers of so-called “telematic services” for automakers.
Sirius XM bug explained
Curry and his colleagues found an authentication flaw inside Sirius XM infrastructure after digging around in code connected to several automotive apps. The infotainment systems in most cars contain Sirius, which offers associated telematic services to most automakers.
According to Curry, Sirius XM is a common feature in vehicles, and about the flaw, he stated that:
“, bundled with the infotainment system which has the capability to perform actions on the vehicle and communicates via satellite to the internet to the SiriusXM API. It’s as if you had a cell phone connected to your vehicle and could receive and send text messages from the car telling it what to do or sharing the state of the car back to the sender.”
”In this case, they built infrastructure around the sending/receiving of this data and allowed customers to authenticate to it using some form of mobile app (whether it’s the Nissan Connected mobile app or the MyHonda app). Once the customer was logged into their account and their account had their VIN number associated to it, they could access that pipeline where they can run commands and receive data (e.g. location, speed, etc) from their vehicle.”
– Sam Curry, Cyber security specialist
Individual vehicles are sending and receiving commands and data to Sirius, which means that under the right circumstances, information might be intercepted. Curry added that a cybercriminal might have taken control of the vehicle and the data linked to the client account by taking advantage of a Sirius XM system authentication weakness.
You may check out more details and dangers about the Sirius XM bug from Sam Curry’s tweet he shared on his @samwcyo account.
More car hacking!
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
Here's how we found it, and how it works: pic.twitter.com/ul3A4sT47k
— Sam Curry (@samwcyo) November 30, 2022
When Sirius XM was contacted for comment, they recognized the problem and gave the following response:
“A security researcher submitted a [bug bounty] report to Sirius XM’s Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”
-Sirius XM
That covers all for the Sirius XM bug security flaw. To check if your car has Sirius XM you may check the company’s official website.
Are you interested in cyber security? Check out our other articles titled such as Cloud under attack: GoTo data breach ended up affecting LastPass or TikTok Invisible body challenge exploited by hackers from here.
