Hackers Use SiriusXM to Hack Into Several Automakers' Vehicles [UPDATED]

Chris Teague
by Chris Teague
hackers use siriusxm to hack into several automakers vehicles

If something is connected to the internet, there’s a great chance someone will figure out how to hack into it. Cars are increasingly connected, leading to several stories of hackers accessing and breaking various automakers’ vehicle functions. One benevolent hacker took to Twitter to outline an interesting hack he and others were able to pull off on several automakers’ vehicles. 


Sam Curry, a security engineer at Yuga Labs, detailed how he and a group of other hackers could gain access to Nissan and other automakers’ vehicles using a vulnerability in their connection with SiriusXM Connected Vehicle Services. In addition to satellite radio, the company handles connected services and telematics for several major automakers, including Nissan, Acura, and Honda. 


The group found websites connected with SiriusXM and used a volunteer Nissan owner’s credentials to log into their account. Once inside, they could find VINs and the owner’s name, phone number, address, and information on their vehicle. From there, they developed a script to scrape the details of any customer using the VIN.


That alone is pretty creepy, but Curry said the group could control vehicle functions like remote start, unlock, and lighting functions using only the VIN. As he points out, anyone can see the VIN on any car, as it’s printed at the bottom of the windshield. Thankfully for everyone, Curry and his band of hackers took what they learned to SiriusXM, which issued an immediate fix. 


This kind of vulnerability is undoubtedly alarming, but it pales in comparison to the challenges some automakers face. Kia and Hyundai are still dealing with the fallout from a TikTok challenge that demonstrates how to steal older models using only a screwdriver and a USB cable. That problem is not as easy to fix as this software update and has required the automakers to develop a separate “anti-theft” kit for their vehicles.

Update 12/4/2022 -- A Toyota spokesperson reached out to us with this statement: "After discussions with our SXM business team partners, it has been confirmed that Toyota and Lexus vehicles were not impacted by this vulnerability. While a number of our older generation models do use SXM Connected Services, our architecture and integration patterns are not impacted by this particular situation." We have removed Toyota's name from the list of impacted manufacturers. -- TH


Additional update 12/4/2022 -- A SiriusXM Connected Vehicle Services spokesperson reached out with this statement: “We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted.  At no point was any subscriber or other data compromised, nor was any unauthorized account modified using this method.”--CT


[Image: Chiang Rai via Shutterstock]

Become a TTAC insider. Get the latest news, features, TTAC takes, and everything else that gets to the truth about cars first by  subscribing to our newsletter.

Comments
Join the conversation
2 of 10 comments
  • Chloe Lachlan Chloe Lachlan on Dec 05, 2022

    Essentially giving a bitcoin trading company online more than $345,000 USD. I had no way to withdraw my money and it became clear that they were having major operating issues. What's worse is that I learned that this business may be a component of a broader fraud scheme involving a lot of businesses and individuals. The few people I notified about the theft of my money suggested I contact Spyware Cyber, a reliable recovery company that eventually assisted me in recovering my funds. You should be aware that there are people who can assist you if you are a victim of one of these events or you know someone who is. After providing them with the information they need, Spyware Cyber satisfied me afterward. Please feel free to let Spyware@cybergal.com, know what kind of assistance you need.

  • Zerofoo Zerofoo on Dec 06, 2022

    Stellantis offered to upgrade the 3G radio in my car to LTE ahead of the 3G network shutdown - I said no thanks. Having my car finally disconnected from mobile networks is a nice security upgrade.

  • Redapple2 C2 is the best. C3 next. Then C7 (looking at you jimII).
  • Jeff S Vulpine--True the CAFE rules are for ICE.
  • Gray I grew up in the era of Panther and Fox platforms. If only they developed a good looking two door Conti. The four doors became a cult in their own right. And kept the 351W as a top line option.
  • Vulpine ABSOLUTELY YES!!! Bring back the TRUE compact trucks. The demand for them is far higher than the OEMs want to admit.
  • Brn More likely, with Google having troubles, the money tree isn't as ripe as it once was and cutbacks are needed.I hope the overall industry continues to evolve. When I get the the point I can't easily drive, I would still appreciate the independence that autonomous vehicles can bring.
Next