Article 66F7E Researchers Used a Sirius XM Bug to Easily Hijack a Bunch of Different Cars

Researchers Used a Sirius XM Bug to Easily Hijack a Bunch of Different Cars

by
janrinok
from SoylentNews on (#66F7E)

fliptop writes:

A slew of security researchers discovered a fairly easy way to commandeer Hondas, Nissans, Infinitis, and Acuras via their infotainment systems:

Newly revealed research shows that a number of major car brands, including Honda, Nissan, Infiniti, and Acura, were affected by a previously undisclosed security bug that would have allowed a savvy hacker to hijack vehicles and steal user data. According to researchers, the bug was in the car's Sirius XM telematics infrastructure and would have allowed a hacker to remotely locate a vehicle, unlock and start it, flash the lights, honk the horn, pop the trunk, and access sensitive customer info like the owner's name, phone number, address, and vehicle details.

A group of security researchers discovered the bug while hunting for issues involving major car manufacturers. One of the researchers, 22-year-old cyber professional Sam Curry, said that he and his friends were curious about the kinds of problems that might crop up if they investigated providers of what are known as "telematic services" for carmakers.

[...] After poking around in code related to various car apps, Curry and his colleagues discovered an authentication loophole inside infrastructure provided by radio giant Sirius XM. Sirius is found inside most cars' infotainment systems and provides related telematic services to most car manufacturers. The way Curry explains it, most cars have SiriusXM "bundled with the [vehicle's] infotainment system which has the capability to perform actions on the vehicle (lock/unlock, etc) and communicates via satellite to the internet to the SiriusXM API." This means that data and commands are being sent to and from Sirius by individual vehicles and that information can be hijacked, under the right circumstances.

[...] "We continued to escalate this and found the HTTP request to run vehicle commands," Curry said, explaining how deep the hack went. "We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim's VIN number, something that was on the windshield."

Originally spotted on Schneier on Security.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments