From The Verge: A vulnerability affecting Sirius XM’s connected vehicle services could’ve let hackers remotely start, unlock, locate, flash the lights, and honk the horn on cars. Sam Curry, a security engineer at Yuga Labs, worked with a group of security researchers to discover the flaw and outlined their findings in a thread on Twitter (via Gizmodo).
In addition to providing a satellite radio subscription, Sirius XM also powers the telematics and infotainment systems used by a number of auto manufacturers, including Acura, BMW, Honda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota. These systems collect a whole lot of information about your car that’s easy to overlook — and could pose potential privacy implications. Last year, a report from Vice called attention to a spy firm, called Ulysses, which collected and planned to sell over 15 billion telematics-based car locations to the US government.
While telematics systems obtain data about your car’s GPS location, speed, turn-by-turn navigation, and maintenance requirements, certain infotainment setups might track call logs, voice commands, text messages, and more. All of this data allows vehicles to provide “smart” features, like automatic crash detection, remote engine start, stolen vehicle alerts, navigation, and the ability to remotely lock or unlock your car. Sirius XM offers all these features and more, and says over 12 million vehicles on the road use its connected vehicle systems.
However, as Curry demonstrates, bad actors can take advantage of this system if the proper safeguards aren’t in place. In a statement to Gizmodo, Curry says Sirius XM “built infrastructure around the sending/receiving of this data and allowed customers to authenticate to it using some form of mobile app,” like MyHonda or Nissan Connected. Users can log into their accounts on these apps, which are linked to their vehicle’s VIN number, to execute commands and obtain information about their cars.
View: Full Article