Hackers Use SiriusXM to Hack Into Several Automakers' Vehicles [UPDATED]

Chris Teague
by Chris Teague

If something is connected to the internet, there’s a great chance someone will figure out how to hack into it. Cars are increasingly connected, leading to several stories of hackers accessing and breaking various automakers’ vehicle functions. One benevolent hacker took to Twitter to outline an interesting hack he and others were able to pull off on several automakers’ vehicles. 


Sam Curry, a security engineer at Yuga Labs, detailed how he and a group of other hackers could gain access to Nissan and other automakers’ vehicles using a vulnerability in their connection with SiriusXM Connected Vehicle Services. In addition to satellite radio, the company handles connected services and telematics for several major automakers, including Nissan, Acura, and Honda. 


The group found websites connected with SiriusXM and used a volunteer Nissan owner’s credentials to log into their account. Once inside, they could find VINs and the owner’s name, phone number, address, and information on their vehicle. From there, they developed a script to scrape the details of any customer using the VIN.


That alone is pretty creepy, but Curry said the group could control vehicle functions like remote start, unlock, and lighting functions using only the VIN. As he points out, anyone can see the VIN on any car, as it’s printed at the bottom of the windshield. Thankfully for everyone, Curry and his band of hackers took what they learned to SiriusXM, which issued an immediate fix. 


This kind of vulnerability is undoubtedly alarming, but it pales in comparison to the challenges some automakers face. Kia and Hyundai are still dealing with the fallout from a TikTok challenge that demonstrates how to steal older models using only a screwdriver and a USB cable. That problem is not as easy to fix as this software update and has required the automakers to develop a separate “anti-theft” kit for their vehicles.

Update 12/4/2022 -- A Toyota spokesperson reached out to us with this statement: "After discussions with our SXM business team partners, it has been confirmed that Toyota and Lexus vehicles were not impacted by this vulnerability. While a number of our older generation models do use SXM Connected Services, our architecture and integration patterns are not impacted by this particular situation." We have removed Toyota's name from the list of impacted manufacturers. -- TH


Additional update 12/4/2022 -- A SiriusXM Connected Vehicle Services spokesperson reached out with this statement: “We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted.  At no point was any subscriber or other data compromised, nor was any unauthorized account modified using this method.”--CT


[Image: Chiang Rai via Shutterstock]

Become a TTAC insider. Get the latest news, features, TTAC takes, and everything else that gets to the truth about cars first by  subscribing to our newsletter.

Chris Teague
Chris Teague

Chris grew up in, under, and around cars, but took the long way around to becoming an automotive writer. After a career in technology consulting and a trip through business school, Chris began writing about the automotive industry as a way to reconnect with his passion and get behind the wheel of a new car every week. He focuses on taking complex industry stories and making them digestible by any reader. Just don’t expect him to stay away from high-mileage Porsches.

More by Chris Teague

Comments
Join the conversation
2 of 11 comments
  • Zerofoo Zerofoo on Dec 06, 2022

    Stellantis offered to upgrade the 3G radio in my car to LTE ahead of the 3G network shutdown - I said no thanks. Having my car finally disconnected from mobile networks is a nice security upgrade.

  • Mary Mary on Mar 12, 2023

    Hello, my name is Mary George. In fact, I was fooled by a dishonest broker who disappeared with my funds a few months ago. I contacted H a c k Mavens and gave him everything he needed to help in recovering my 4.7 BTC and I am glad he recovered my money. Although I was skeptical at first, I can boldly tell the world to contact H A C K M A V E N S 5 @ G M A I L . C O M or Call/Text/WhatsApp: + 1 (2 0 9) 4 1 7 – 1 9 5 7 for all kinds of h a c k i n g services. He is always straight forward and ready to answer every question put across to him. Best regards!

  • AZFelix Hilux technical, preferably with a swivel mount.
  • ToolGuy This is the kind of thing you get when you give people faster internet.
  • ToolGuy North America is already the greatest country on the planet, and I have learned to be careful about what I wish for in terms of making changes. I mean, if Greenland wants to buy JDM vehicles, isn't that for the Danes to decide?
  • ToolGuy Once again my home did not catch on fire and my fire extinguisher(s) stayed in the closet, unused. I guess I threw my money away on fire extinguishers.(And by fire extinguishers I mean nuclear missiles.)
  • Carson D The UAW has succeeded in organizing a US VW plant before. There's a reason they don't teach history in the schools any longer. People wouldn't make the same mistakes.
Next