Sam Curry, an Omaha, Neb.-based security engineer.
Software security researchers and engineers used a flaw in a SiriusXM service to hack into Honda, Nissan and Toyota vehicles using only their VINs, which provides wider access to account information.
But for Hyundai and its sibling Genesis models, one only needs the email address, they said.
The researchers discovered the coding flaw in a hybrid 2022 Hyundai Sonata in September and found they could remotely unlock, start, locate, flash and honk the horn in the car. They used the same methodology to crack into Honda, Nissan and Toyota models.
As these researchers and engineers explored the back end of these smartphone applications, they kept seeing SiriusXM, a company known for its satellite and online radio services, referenced in the code and documentation related to these vehicles’ onboard systems.
During their research, they found that the domain “http://telematics.net” handled the services for enrolling cars in SiriusXM Connected Vehicle Services, a subsidiary that provides automatic crash notifications, roadside assistance, remote door unlock, remote start and stolen vehicle recovery for vehicle owners.
“This was interesting to us because we didn’t know SiriusXM offered remote vehicle management functionality, but it turns out they do,” said Sam Curry, an Omaha, Neb.-based security engineer.
The group reached out to Hyundai and SiriusXM to inform them of the vulnerabilities, Curry added.
The automakers and SiriusXM Radio said they were aware of the problem and have resolved the issue.
While the group could hack many features, they could not control any driving functions, Curry said.
“But you could start it (the car) in someone’s garage,” he said.
Curry, who works for New York-based Yuga Labs, a blockchain-based software development company, is known in cybersecurity circles for his interest in automobile telematics.
In September 2022, a hacker reached out to Curry to show him how he had breached Uber’s backend systems and compromised the ride-hailing service’s Amazon and Google-hosted cloud environments where the company stores its source code and customer data.
The automakers and SiriusXM said no mishaps resulted from the potential security breach.
“Honda is aware of a reported vulnerability involving SiriusXM connected vehicle services provided to multiple automotive brands, which, according to SiriusXM, was resolved quickly after they learned of it,” Jessica Fini, a Honda spokeswoman, said in a statement. “Honda has seen no indications of any malicious use of this now-resolved vulnerability to access connected vehicle services in Honda or Acura vehicles.”
In a statement, SiriusXM Connected Vehicle Services said that “the issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised, nor was any unauthorized account modified using this method.”
Hyundai spokesman Ira Gabriel told Automotive News that the automaker worked with third-party consultants to investigate the vulnerability as soon as Curry and his team brought the security issues to their attention.
“Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers,” Gabriel said.
To hack a Hyundai, Gabriel said one needed the email address associated with the account, along with the VIN and the script, or code, used by the hackers.
Nevertheless, Hyundai implemented countermeasures within days of notification to further enhance the safety and security of its systems, he said.
Curry told Automotive News that he thought automakers could make their smartphone applications more secure through standardization, but they each take separate approaches in developing their applications.
“This is a really complicated issue, but I’d like to think our research helped remedy some of them,” Curry said. “Developing industry standards and standardizing protocols would help.”
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.
Please enter a valid email address.
Please enter your email address.
Please verify captcha.
Please select at least one newsletter to subscribe.
See more newsletter options at autonews.com/newsletters.
You can unsubscribe at any time through links in these emails. For more information, see our Privacy Policy.
Sign up and get the best of Automotive News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.
Get 24/7 access to in-depth, authoritative coverage of the auto industry from a global team of reporters and editors covering the news that’s vital to your business.
Our mission
The Automotive News mission is to be the primary source of industry news, data and understanding for the industry’s decision-makers interested in North America.
1155 Gratiot Avenue
Detroit, Michigan
48207-2997
(877) 812-1584
Email us
Automotive News
ISSN 0005-1551 (print)
ISSN 1557-7686 (online)
Fixed Ops Journal
ISSN 2576-1064 (print)
ISSN 2576-1072 (online)
source
—
Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…