A flaw in the code that allowed criminals to steal cars over the Internet has now reportedly been fixed, and owners have been urged to update their systems immediately.

The flaw was found in Connected Vehicle Services, a software package that offers a host of features such as automatic crash notifications, enhanced roadside assistance, remote door unlocking, remote start, stolen vehicle recovery, turn-by-turn navigation and integration of smart home. devices.

Connected vehicle services are built by SiriusXM and are used by a host of automakers, including Honda, Nissan, Infiniti and Acura, all of which were vulnerable.

VIN for authorization

The flaw was made public by Yuga Labs security researcher Sam Curry, who is used to finding security flaws in cars. In a Twitter thread (opens in a new tab), Curry explained how the flaw works, adding that SiriusXM has already patched it.

The problem was apparently caused by the telematics platform using the car's vehicle identification number (VIN), often found on the windshield, to authorize commands and enter user profiles.

This means that anyone who knows the VIN number can remotely issue a series of commands, from unlocking the doors to starting the engine.

In response to The Register's findings, the company spokesperson said that SiriusXM had been tipped off through its bounty hunting program.

"We take the security of our customers' accounts seriously and participate in a bug bounty program to help identify and fix potential security vulnerabilities affecting our platforms," ​​the statement said.

“As part of this work, a security researcher submitted a report to Sirius XM Connected Vehicle Services about a permissions violation affecting a specific telematics program. The issue was resolved within 24 hours of submitting the report. At no time has any subscriber or other data been compromised and no unauthorized account has been modified using this method."

Via: The Registry (Opens in a new tab)

Share This