Hackers Use SiriusXM to Hack Into Several Automakers' Vehicles [UPDATED]

Chris Teague
by Chris Teague
hackers use siriusxm to hack into several automakers vehicles updated

If something is connected to the internet, there’s a great chance someone will figure out how to hack into it. Cars are increasingly connected, leading to several stories of hackers accessing and breaking various automakers’ vehicle functions. One benevolent hacker took to Twitter to outline an interesting hack he and others were able to pull off on several automakers’ vehicles. 

Sam Curry, a security engineer at Yuga Labs, detailed how he and a group of other hackers could gain access to Nissan and other automakers’ vehicles using a vulnerability in their connection with SiriusXM Connected Vehicle Services. In addition to satellite radio, the company handles connected services and telematics for several major automakers, including Nissan, Acura, and Honda. 

The group found websites connected with SiriusXM and used a volunteer Nissan owner’s credentials to log into their account. Once inside, they could find VINs and the owner’s name, phone number, address, and information on their vehicle. From there, they developed a script to scrape the details of any customer using the VIN.

That alone is pretty creepy, but Curry said the group could control vehicle functions like remote start, unlock, and lighting functions using only the VIN. As he points out, anyone can see the VIN on any car, as it’s printed at the bottom of the windshield. Thankfully for everyone, Curry and his band of hackers took what they learned to SiriusXM, which issued an immediate fix. 

This kind of vulnerability is undoubtedly alarming, but it pales in comparison to the challenges some automakers face. Kia and Hyundai are still dealing with the fallout from a TikTok challenge that demonstrates how to steal older models using only a screwdriver and a USB cable. That problem is not as easy to fix as this software update and has required the automakers to develop a separate “anti-theft” kit for their vehicles.

Update 12/4/2022 -- A Toyota spokesperson reached out to us with this statement: "After discussions with our SXM business team partners, it has been confirmed that Toyota and Lexus vehicles were not impacted by this vulnerability. While a number of our older generation models do use SXM Connected Services, our architecture and integration patterns are not impacted by this particular situation." We have removed Toyota's name from the list of impacted manufacturers. -- TH

Additional update 12/4/2022 -- A SiriusXM Connected Vehicle Services spokesperson reached out with this statement: “We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted.  At no point was any subscriber or other data compromised, nor was any unauthorized account modified using this method.”--CT

[Image: Chiang Rai via Shutterstock]

Become a TTAC insider. Get the latest news, features, TTAC takes, and everything else that gets to the truth about cars first by  subscribing to our newsletter.

Join the conversation
2 of 11 comments
  • Zerofoo Zerofoo on Dec 06, 2022

    Stellantis offered to upgrade the 3G radio in my car to LTE ahead of the 3G network shutdown - I said no thanks. Having my car finally disconnected from mobile networks is a nice security upgrade.

  • Mary Mary on Mar 12, 2023

    Hello, my name is Mary George. In fact, I was fooled by a dishonest broker who disappeared with my funds a few months ago. I contacted H a c k Mavens and gave him everything he needed to help in recovering my 4.7 BTC and I am glad he recovered my money. Although I was skeptical at first, I can boldly tell the world to contact H A C K M A V E N S 5 @ G M A I L . C O M or Call/Text/WhatsApp: + 1 (2 0 9) 4 1 7 – 1 9 5 7 for all kinds of h a c k i n g services. He is always straight forward and ready to answer every question put across to him. Best regards!

  • Bullnuke It may be awhile before these show up on US shores. The MV Fremantle Highway has just started demo/reconstruction in Rotterdam after the large fire when transporting its last shipment of electric Porsche products.
  • Fie on Fiasler Big, fast and thirsty does not equal good. True luxury is not cobbled together by the UAW.
  • Inside Looking Out I see it as gladiator races - only one survives in virtual world.
  • Crown They need to put the EcoDiesel back in the Grand Cherokee. I have a 2018 and it has been the most reliable vehicle I ever owned. 69,000 miles and only needed tires, and regular oil and fuel filter changes.
  • El scotto Y'all are overthinking this. Find some young hard-charging DA seeking the TV limelight to lock this kid up. Heck, have John Boehner come up from Cincy to help the young DA get his political career going. Better yet, have the young DA spin this as hard as he or she can; I'm the candidate for Law and Order, I defied our go-easy office and leadership to get this identified criminal locked up. Oh this could be spun more than a hyper active kid's top.Now I'd do some consulting work for Little Kings Original Cream Ale and Skyline Chili.