.png)
BOOK THIS SPACE FOR AD
ARTICLE ADResearchers discovered a security flaw in the connected vehicle service SiriusXM that exposes multiple car models to remote attacks.
Cybersecurity researchers discovered a security vulnerability in the connected vehicle service provided by SiriusXM that can allow threat actors to remotely attack vehicles from multiple carmakers, including Honda, Nissan, Infiniti, and Acura.
Researcher Sam Curry shared details about his findings in a series of tweets, he demonstrated that a remote attacker can exploit the flaw in the service to unlock, start, locate, and honk a car by simply knowing the vehicle’s vehicle identification number (VIN).
Curry and his team scanned the internet to find domains owned by SiriusXM and perform reverse-engineering of the mobile apps of SiriusXM customers to figure out how the service works.
The experts began investigating the domain “http://telematics.net” handling services for enrolling vehicles in the SiriusXM remote management functionality.
The experts analyzed the NissanConnect app and reached out to some Nissan owners who signed into their accounts to inspect the HTTP traffic. It was easy to identify the format of the “customerId” parameter, which is composed of an “nissancust” prefix to the identifier along with the “Cv-Tsp” header which specified “NISSAN_17MY”. Any change to the inputs produced failure in the requests.
There was one HTTP request in particular that was interesting: the "exchangeToken" endpoint would return an authorization bearer dependent on the provided "customerId".
While fuzzing, we removed the "vin" parameter and it still worked. It seemed to only care about "customerId". pic.twitter.com/kENFIDwudz
After hours of tests the experts noticed a format of VIN number in a HTTP responses vin:5FNRL6H82NB044273, which was similar to the “nissancust” prefix. Then the experts tried sending the VIN prefixed ID as the customerId, and it returned “200 OK” and returned a bearer token.
It returned "200 OK" and returned a bearer token! This was exciting, we were generating some token and it was indexing the arbitrary VIN as the identifier.
To make sure this wasn't related to our session JWT, we completely dropped the Authorization parameter and it still worked! pic.twitter.com/zCdCHQfCcY
The experts took the authorization bearer and used it in an HTTP request to fetch the details of the user profile (name, phone number, address, and car details). The experts developed a simple python script to fetch the customer details of any VIN number.
The experts were also able to find the HTTP request to run vehicle commands.
At this point, we identified that it was also possible to access customer information and run vehicle commands on Honda, Infiniti, and Acura vehicles in addition to Nissan.
We reported the issue to SiriusXM who fixed it immediately and validated their patch.
The researcher reported their discovery to SiriusXM who immediately addressed the issue.
Curry and his team also discovered a vulnerability affecting Hyundai and Genesis vehicles that can be exploited to remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.
We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.
To explain how it worked and how we found it, we have @_specters_ as our mock car thief: pic.twitter.com/WWyY6vFoAF
Hyundai also rapidly addressed the flaw
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, car hacking)
Bengali (Bangladesh) · 
English (United States) ·