Hackers Use SiriusXM to Hack Into Several Automakers' Vehicles [UPDATED]

If something is connected to the internet, there’s a great chance someone will figure out how to hack into it. Cars are increasingly connected, leading to several stories of hackers accessing and breaking various automakers’ vehicle functions. One benevolent hacker took to Twitter to outline an interesting hack he and others were able to pull off on several automakers’ vehicles. 

Sam Curry, a security engineer at Yuga Labs, detailed how he and a group of other hackers could gain access to Nissan and other automakers’ vehicles using a vulnerability in their connection with SiriusXM Connected Vehicle Services. In addition to satellite radio, the company handles connected services and telematics for several major automakers, including Nissan, Acura, and Honda. 

The group found websites connected with SiriusXM and used a volunteer Nissan owner’s credentials to log into their account. Once inside, they could find VINs and the owner’s name, phone number, address, and information on their vehicle. From there, they developed a script to scrape the details of any customer using the VIN.

That alone is pretty creepy, but Curry said the group could control vehicle functions like remote start, unlock, and lighting functions using only the VIN. As he points out, anyone can see the VIN on any car, as it’s printed at the bottom of the windshield. Thankfully for everyone, Curry and his band of hackers took what they learned to SiriusXM, which issued an immediate fix. 

This kind of vulnerability is undoubtedly alarming, but it pales in comparison to the challenges some automakers face. Kia and Hyundai are still dealing with the fallout from a TikTok challenge that demonstrates how to steal older models using only a screwdriver and a USB cable. That problem is not as easy to fix as this software update and has required the automakers to develop a separate “anti-theft” kit for their vehicles.

Update 12/4/2022 -- A Toyota spokesperson reached out to us with this statement: "After discussions with our SXM business team partners, it has been confirmed that Toyota and Lexus vehicles were not impacted by this vulnerability. While a number of our older generation models do use SXM Connected Services, our architecture and integration patterns are not impacted by this particular situation." We have removed Toyota's name from the list of impacted manufacturers. -- TH

Additional update 12/4/2022 -- A SiriusXM Connected Vehicle Services spokesperson reached out with this statement: “We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted.  At no point was any subscriber or other data compromised, nor was any unauthorized account modified using this method.”--CT

[Image: Chiang Rai via Shutterstock]

Become a TTAC insider. Get the latest news, features, TTAC takes, and everything else that gets to the truth about cars first by  subscribing to our newsletter.