SiriusXM breach unlocks, starts cars

Software security researchers and engineers used a flaw in a SiriusXM service to hack into Hyundai, Honda, Nissan and Toyota vehicles using only their VINs.

They discovered the coding flaw in a hybrid 2022 Hyundai Sonata in September and found they could remotely unlock, start, locate, flash and honk the horn in the car. They used the same methodology to crack into Honda, Nissan and Toyota models.

As these researchers and engineers explored the back end of these smartphone applications, they kept seeing SiriusXM, a company known for its satellite and online radio services, referenced in the code and documentation related to these vehicles’ onboard systems.

During their research, they found that the domain “http://telematics.net” handled the services for enrolling cars in SiriusXM Connected Vehicle Services, a subsidiary that provides automatic crash notifications, roadside assistance, remote door unlock, remote start and stolen vehicle recovery for vehicle owners.

“This was interesting to us because we didn’t know SiriusXM offered remote vehicle management functionality, but it turns out they do,” said Sam Curry, an Omaha, Neb.-based security engineer.

The group reached out to Hyundai and SiriusXM to inform them of the vulnerabilities, Curry added.

The automakers and SiriusXM Radio said they were aware of the problem and have resolved the issue.

While the group could hack many features, they could not control any driving functions, Curry said.

“But you could start it (the car) in someone’s garage,” he said.

Curry, who works for New York-based Yuga Labs, a blockchain-based software development company, is known in cybersecurity circles for his interest in automobile telematics.

In September 2022, a hacker reached out to Curry to show him how he had breached Uber’s backend systems and compromised the ride-hailing service’s Amazon and Google-hosted cloud environments where the company stores its source code and customer data.

The automakers and SiriusXM said no mishaps resulted from the potential security breach.

“Honda is aware of a reported vulnerability involving SiriusXM connected vehicle services provided to multiple automotive brands, which, according to SiriusXM, was resolved quickly after they learned of it,” Jessica Fini, a Honda spokeswoman, said in a statement. “Honda has seen no indications of any malicious use of this now-resolved vulnerability to access connected vehicle services in Honda or Acura vehicles.”

In a statement, SiriusXM Connected Vehicle Services said that “the issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised, nor was any unauthorized account modified using this method.”

Hyundai spokesman Ira Gabriel told Automotive News that the automaker worked with third-party consultants to investigate the vulnerability as soon as Curry and his team brought the security issues to their attention.

“Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers,” Gabriel said.

To hack a Hyundai, Gabriel said one needed the email address associated with the account, along with the VIN and the script, or code, used by the hackers.

Nevertheless, Hyundai implemented countermeasures within days of notification to further enhance the safety and security of its systems, he said.

Curry told Automotive News that he thought automakers could make their smartphone applications more secure through standardization, but they each take separate approaches in developing their applications.

“This is a really complicated issue, but I’d like to think our research helped remedy some of them,” Curry said. “Developing industry standards and standardizing protocols would help.”