Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday December 03 2022, @10:24AM   Printer-friendly

A slew of security researchers discovered a fairly easy way to commandeer Hondas, Nissans, Infinitis, and Acuras via their infotainment systems:

Newly revealed research shows that a number of major car brands, including Honda, Nissan, Infiniti, and Acura, were affected by a previously undisclosed security bug that would have allowed a savvy hacker to hijack vehicles and steal user data. According to researchers, the bug was in the car's Sirius XM telematics infrastructure and would have allowed a hacker to remotely locate a vehicle, unlock and start it, flash the lights, honk the horn, pop the trunk, and access sensitive customer info like the owner's name, phone number, address, and vehicle details.

A group of security researchers discovered the bug while hunting for issues involving major car manufacturers. One of the researchers, 22-year-old cyber professional Sam Curry, said that he and his friends were curious about the kinds of problems that might crop up if they investigated providers of what are known as "telematic services" for carmakers.

[...] After poking around in code related to various car apps, Curry and his colleagues discovered an authentication loophole inside infrastructure provided by radio giant Sirius XM. Sirius is found inside most cars' infotainment systems and provides related telematic services to most car manufacturers. The way Curry explains it, most cars have SiriusXM "bundled with the [vehicle's] infotainment system which has the capability to perform actions on the vehicle (lock/unlock, etc) and communicates via satellite to the internet to the SiriusXM API." This means that data and commands are being sent to and from Sirius by individual vehicles and that information can be hijacked, under the right circumstances.

[...] "We continued to escalate this and found the HTTP request to run vehicle commands," Curry said, explaining how deep the hack went. "We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim's VIN number, something that was on the windshield."

Originally spotted on Schneier on Security.


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Saturday December 03 2022, @12:57PM (3 children)

    by Anonymous Coward on Saturday December 03 2022, @12:57PM (#1281008)

    Here's the source, a series of tweets,
        https://twitter.com/samwcyo/status/1597792097175674880 [twitter.com]

    Last one:

    We reported the issue to SiriusXM who fixed it immediately and validated their patch.

    But as I worked through their "blow by blow" commentary, it seemed to me like there were plenty of other holes that remain to be explored. IANASR (security researcher), anyone with more experience care to comment?

    • (Score: 2) by janrinok on Saturday December 03 2022, @01:31PM

      by janrinok (52) Subscriber Badge on Saturday December 03 2022, @01:31PM (#1281011) Journal

      Thanks for the link but it is already on the third word of TFA. That link also appears to be down, but for Twitter at the moment I am not surprised.

    • (Score: 5, Funny) by Gaaark on Saturday December 03 2022, @04:05PM

      by Gaaark (41) on Saturday December 03 2022, @04:05PM (#1281018) Journal

      We reported the issue to SiriusXM who fixed it immediately and validated their patch.

      So, it wasn't a serious SiriusXM problem, i guess.

      --
      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 2) by stretch611 on Sunday December 04 2022, @11:30AM

      by stretch611 (6199) on Sunday December 04 2022, @11:30AM (#1281122)

      We reported the issue to SiriusXM who fixed it immediately and validated their patch.

      And when was the last time your car and its computer got a code patch? This vulnerability is destined to be out in the wild until all the 2024 model year cars are too old to be on the road anymore.

      SOME people may get a patch, assuming that it can be patched in software itself. If it is a hardware patch they are all screwed.

      --
      Now with 5 covid vaccine shots/boosters altering my DNA :P
  • (Score: 2) by krishnoid on Saturday December 03 2022, @08:50PM

    by krishnoid (1156) on Saturday December 03 2022, @08:50PM (#1281046)

    Well, not that shocked [youtu.be]. It's a little unsettling how much more relevant the articles' situations are becoming, against which I post that link as a comment.

  • (Score: 2) by Unixnut on Sunday December 04 2022, @12:41PM

    by Unixnut (5779) on Sunday December 04 2022, @12:41PM (#1281128)

    > "We continued to escalate this and found the HTTP request to run vehicle commands,"

    The problem (from my point of view) is not so much that this system is vulnerable, as much as that this system should not exist in the first place. I mean seriously. Cars with internet connections, and http servers, that can control the vehicle? That is just completely insane.

(1)