Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Researchers Used a Sirius XM Bug to Easily Hijack a Bunch of Different Cars

posted by janrinok on Saturday December 03 2022, @10:24AM   Printer-friendly

fliptop writes:

A slew of security researchers discovered a fairly easy way to commandeer Hondas, Nissans, Infinitis, and Acuras via their infotainment systems:

Newly revealed research shows that a number of major car brands, including Honda, Nissan, Infiniti, and Acura, were affected by a previously undisclosed security bug that would have allowed a savvy hacker to hijack vehicles and steal user data. According to researchers, the bug was in the car's Sirius XM telematics infrastructure and would have allowed a hacker to remotely locate a vehicle, unlock and start it, flash the lights, honk the horn, pop the trunk, and access sensitive customer info like the owner's name, phone number, address, and vehicle details.

A group of security researchers discovered the bug while hunting for issues involving major car manufacturers. One of the researchers, 22-year-old cyber professional Sam Curry, said that he and his friends were curious about the kinds of problems that might crop up if they investigated providers of what are known as "telematic services" for carmakers.

[...] After poking around in code related to various car apps, Curry and his colleagues discovered an authentication loophole inside infrastructure provided by radio giant Sirius XM. Sirius is found inside most cars' infotainment systems and provides related telematic services to most car manufacturers. The way Curry explains it, most cars have SiriusXM "bundled with the [vehicle's] infotainment system which has the capability to perform actions on the vehicle (lock/unlock, etc) and communicates via satellite to the internet to the SiriusXM API." This means that data and commands are being sent to and from Sirius by individual vehicles and that information can be hijacked, under the right circumstances.

[...] "We continued to escalate this and found the HTTP request to run vehicle commands," Curry said, explaining how deep the hack went. "We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim's VIN number, something that was on the windshield."

Originally spotted on Schneier on Security.

Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Researchers Used a Sirius XM Bug to Easily Hijack a Bunch of Different Cars | Log In/Create an Account | Top | 6 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by janrinok on Saturday December 03 2022, @01:31PM

    by janrinok (52) Subscriber Badge on Saturday December 03 2022, @01:31PM (#1281011) Journal

    Thanks for the link but it is already on the third word of TFA. That link also appears to be down, but for Twitter at the moment I am not surprised.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2