UPDATE: A spokesperson for SiriusXM Connected Vehicle Services has told TechRadar Pro that the flaw was reported through its bug bounty program and fixed within 24 hours of the initial report.
A code flaw that could have been exploited to allow criminals access to connected vehicles has now been fixed, according to reports, with owners urged to update their systems immediately.
The flaw was found in SiriusXM Connected Vehicle Services, a software suite offering a slew of features such as automatic crash notifications, enhanced roadside assistance, remote door unlocking, remote start, stolen vehicle recovery assistance, turn-by-turn navigation and integration with smart home devices.
SiriusXM Connected Vehicle Services is used by a large number of automakers, including Honda, Nissan, Infiniti, and Acura, all of which were vulnerable.
VIN for authorization
The flaw was made public by Yuga Labs security researcher Sam Curry, who has a history in finding security flaws in automobiles. In a Twitter thread (opens in new tab), Curry explained how the flaw works, and added that SiriusXM already fixed it.
Apparently, the problem stemmed from the fact that the telematics platform uses the car’s Vehicle Identification Number (VIN), which is often found on the windshield, to authorize commands and grab user profiles.
This means that whoever knows the VIN number can issue a number of commands remotely, from unlocking the doors to starting the engine.
Responding to the findings in The Register, the company’s spokesperson said SiriusXM was tipped off via its bounty-hunting program
“We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms,” the statement reads.
“As part of this work, a security researcher submitted a report to Sirius XM’s Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”
Via: The Register (opens in new tab)