A slew of security researchers discovered a fairly easy way to commandeer Hondas, Nissans, Infinitis, and Acuras via their infotainment systems:
Newly revealed research shows that a number of major car brands, including Honda, Nissan, Infiniti, and Acura, were affected by a previously undisclosed security bug that would have allowed a savvy hacker to hijack vehicles and steal user data. According to researchers, the bug was in the car's Sirius XM telematics infrastructure and would have allowed a hacker to remotely locate a vehicle, unlock and start it, flash the lights, honk the horn, pop the trunk, and access sensitive customer info like the owner's name, phone number, address, and vehicle details.
A group of security researchers discovered the bug while hunting for issues involving major car manufacturers. One of the researchers, 22-year-old cyber professional Sam Curry, said that he and his friends were curious about the kinds of problems that might crop up if they investigated providers of what are known as "telematic services" for carmakers.
[...] After poking around in code related to various car apps, Curry and his colleagues discovered an authentication loophole inside infrastructure provided by radio giant Sirius XM. Sirius is found inside most cars' infotainment systems and provides related telematic services to most car manufacturers. The way Curry explains it, most cars have SiriusXM "bundled with the [vehicle's] infotainment system which has the capability to perform actions on the vehicle (lock/unlock, etc) and communicates via satellite to the internet to the SiriusXM API." This means that data and commands are being sent to and from Sirius by individual vehicles and that information can be hijacked, under the right circumstances.
[...] "We continued to escalate this and found the HTTP request to run vehicle commands," Curry said, explaining how deep the hack went. "We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim's VIN number, something that was on the windshield."
Originally spotted on Schneier on Security.
(Score: 0) by Anonymous Coward on Saturday December 03, @12:57PM (3 children)
Here's the source, a series of tweets,
But as I worked through their "blow by blow" commentary, it seemed to me like there were plenty of other holes that remain to be explored. IANASR (security researcher), anyone with more experience care to comment?
(Score: 2) by janrinok on Saturday December 03, @01:31PM
Thanks for the link but it is already on the third word of TFA. That link also appears to be down, but for Twitter at the moment I am not surprised.
(Score: 5, Funny) by Gaaark on Saturday December 03, @04:05PM
So, it wasn't a serious SiriusXM problem, i guess.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by stretch611 on Sunday December 04, @11:30AM
And when was the last time your car and its computer got a code patch? This vulnerability is destined to be out in the wild until all the 2024 model year cars are too old to be on the road anymore.
SOME people may get a patch, assuming that it can be patched in software itself. If it is a hardware patch they are all screwed.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by krishnoid on Saturday December 03, @08:50PM
Well, not that shocked [youtu.be]. It's a little unsettling how much more relevant the articles' situations are becoming, against which I post that link as a comment.
(Score: 2) by Unixnut on Sunday December 04, @12:41PM
> "We continued to escalate this and found the HTTP request to run vehicle commands,"
The problem (from my point of view) is not so much that this system is vulnerable, as much as that this system should not exist in the first place. I mean seriously. Cars with internet connections, and http servers, that can control the vehicle? That is just completely insane.