UPDATE: A spokesperson for SiriusXM Connected Vehicle Services told TechRadar Pro that the bug was reported through the bug bounty program and fixed within 24 hours of the initial report.
According to reports, a code vulnerability that could have been exploited to allow criminals to access connected vehicles has been fixed, and owners have been urged to update their systems immediately.
The vulnerability was discovered in SiriusXM Connected Vehicle Services, a software suite offering a slew of features such as automatic accident notifications, enhanced roadside assistance, remote door unlock, remote start, stolen vehicle recovery assistance, step-by-step navigation and integration with smart home devices.
SiriusXM Connected Vehicle Services are used by many automakers, including Honda, Nissan, Infiniti and Acura, all of whom have been vulnerable.
VIN for authorization
The vulnerability was published by Yuga Labs security researcher Sam Curry, who has experience finding vulnerabilities in cars. In Twitter thread (opens in a new tab)Curry explained how the glitch works and added that SiriusXM has already fixed it.
Apparently the problem stemmed from the fact that the telematics platform uses the Vehicle Identification Number (VIN), which is often found on the windshield, to authorize commands and retrieve user profiles.
This means that anyone with the VIN number can remotely issue a range of commands, from opening a door to starting the engine.
In response to the findings in Registera company spokesperson said SiriusXM had been alerted via a bounty hunting program
“We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and fix potential vulnerabilities affecting our platforms,” the statement reads.
“As part of this work, a security researcher submitted a report to Sirius XM’s Connected Vehicle Services about an authorization failure affecting a specific telematics program. The issue was resolved within 24 hours of submitting the request. At no time has any subscriber or other data been compromised, nor has any unauthorized account been modified using this method.”
By: Register (opens in a new tab)