Hacker Exploits Sirius XM Flaw to Remotely Unlock, Honk Horn on Cars

In the era of internet-connected vehicles, newly discovered cybersecurity issues are redefining what it means to "steal" a car.

In a recent experiment by Sam Curry, a staff security engineer at Yuga Labs and self-described hacker, his team was able to tap into a vulnerability in Sirius XM software to gain remote access to vehicles using their publicly available vehicle identification numbers (VINs), The Verge reports(Opens in a new window).

The SiriusXM Connected Services umbrella includes infotainment and telematics systems(Opens in a new window), which are used by 15+ OEMs, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.

Vehicle applications like MyHonda or Nissan Connect(Opens in a new window) have Sirius XM integrations. So for Curry's hacking experiment, he asked a friend for their Nissan account and logged in. This gave him access to the Nissan app to inspect its backend.

Curry noticed the security system had a login loophole. It didn't require a unique username and password to access someone's account. Instead, Curry could enter just the VIN, which is publicly posted on the windshield of any vehicle.

The team then wrote a python script that used the VIN to execute vehicle commands, allowing them to remotely start, unlock, locate, flash the lights, and honk the horn on the car. Theoretically, a bad actor could copy down the VIN from any car in their area, plug it into the script, and unlock the vehicle to steal something inside.

Another risk also surfaced: Curry's program accessed private customer information such as address, name, phone number, and latitude/longitude of the car. A hacker could use this information in multiple ways, including tracking the car regularly using its latitude and longitude, using its known whereabouts to plan nefarious activity on the owner's home.

"At this point, we identified that it was also possible to access customer information and run vehicle commands on Honda, Infiniti, and Acura vehicles in addition to Nissan," Curry tweeted. "We reported the issue to SiriusXM who fixed it immediately and validated their patch."

"At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method," a Sirius XM spokesperson tells The Verge.

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Your subscription has been confirmed. Keep an eye on your inbox!