A security vulnerability discovered in several automobiles including Infinity, Nissan, Honda and Acura allow threat actors to execute remote attacks using connected vehicle service provided by SiriusXM.
The vulnerability will allow hackers to remotely unlock, start, honk and locate any car without any authority over it using the vehicle identification numbers (VIN), as per Sam Curry’s tweet.
SiriusXM’s connected vehicles (CV) services are the ones that is being used by several vehicles in North America, including Hyundai, Infiniti, BMW, Acura, Land Rover, Jaguar, Nissan, Subaru and Toyota.
The system is designed to enable a wide range of security, safety, convenience services including automatic crash notification, roadside assistance, remote engine start, remote door unlock, stolen car recovery assistance, navigation and integration with IoT devices.
The SiriusXM vulnerability relates to an authorization flaw in their telematics program that made will allow the victim’s personal data to be retrieved and then execute commands on the vehicles by transmitting a specially crafted HTTP request containing the VIN number to a SiriusXM endpoint.
Curry, the security researchers also mentioned that a different vulnerability is affecting Hyundai and Genesis vehicles that can abuse the car by remotely controlling their locks, engines, headlights, and trunks of the cars made using an email address.
By reverse engineering the MyGenesis and MyHyundai apps, inspecting API traffic, Curry found a route to manipulate the email validation process and take control of a car remotely.
He also said “By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account which bypassed the JWT and email parameter comparison check”.
SiriusXM and Hyundai have since rolled out patches to address the SiriusXM vulnerability.
Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.
You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.
Discover the best log management tools for efficient system management and monitoring. Learn about the…
Taking remote of devices and managing them will make thing simple for IT admins. In…
In 2024, the Unified Endpoint Management Software market will continue to evolve and here are…
Explore the top 5 threat intelligence tools, their features, and how they enhance cybersecurity against…
Explore the top 5 best Microsoft Intune alternatives, comparing key features, user reviews, and capabilities…
Recast Software offers a suite of tools designed to enhance and simplify endpoint management in…