Tech. Science. Culture.
We may earn a commission from links on this page

Researchers Used a Sirius XM Bug to Easily Hijack a Bunch of Different Cars

A slew of security researchers discovered a fairly easy way to commandeer Hondas, Nissans, Infinitis, and Acuras via their infotainment systems.

We may earn a commission from links on this page.
Image for article titled Researchers Used a Sirius XM Bug to Easily Hijack a Bunch of Different Cars
Photo: Sam Curry

How do you hack a car? Through its infotainment system, apparently.

Newly revealed research shows that a number of major car brands, including Honda, Nissan, Infiniti, and Acura, were affected by a previously undisclosed security bug that would have allowed a savvy hacker to hijack vehicles and steal user data. According to researchers, the bug was in the car’s Sirius XM telematics infrastructure and would have allowed a hacker to remotely locate a vehicle, unlock and start it, flash the lights, honk the horn, pop the trunk, and access sensitive customer info like the owner’s name, phone number, address, and vehicle details.

A group of security researchers discovered the bug while hunting for issues involving major car manufacturers. One of the researchers, 22-year-old cyber professional Sam Curry, said that he and his friends were curious about the kinds of problems that might crop up if they investigated providers of what are known as “telematic services” for carmakers.

Even if you don’t own a Tesla, most modern vehicles are basically web-connected computers on wheels. Inflows and outflows of vehicle data—what is known as telematics—make cars more convenient and customizable than ever before, but they also make them more vulnerable to cyberattacks and remote hijacking. The telematics industry is also a giant privacy hazard, because car manufacturers have been known to sell vehicle data to surveillance vendors, who then do creepy stuff like sell it to government agencies.

Advertisement

After poking around in code related to various car apps, Curry and his colleagues discovered an authentication loophole inside infrastructure provided by radio giant Sirius XM. Sirius is found inside most cars’ infotainment systems and provides related telematic services to most car manufacturers. The way Curry explains it, most cars have SiriusXM “bundled with the [vehicle’s] infotainment system which has the capability to perform actions on the vehicle (lock/unlock, etc) and communicates via satellite to the internet to the SiriusXM API.” This means that data and commands are being sent to and from Sirius by individual vehicles and that information can be hijacked, under the right circumstances.

“It’s as if you had a cell phone connected to your vehicle and could receive and send text messages from the car telling it what to do or sharing the state of the car back to the sender,” Curry said. “In this case, they built infrastructure around the sending/receiving of this data and allowed customers to authenticate to it using some form of mobile app (whether it’s the Nissan Connected mobile app or the MyHonda app). Once the customer was logged into their account and their account had their VIN number associated to it, they could access that pipeline where they can run commands and receive data (e.g. location, speed, etc) from their vehicle.”

Advertisement

By exploiting an authentication flaw in Sirius XM’s system, a cybercriminal could have hijacked the car, as well as the associated customer account information, Curry explained.

“We continued to escalate this and found the HTTP request to run vehicle commands,” Curry said, explaining how deep the hack went. “We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim’s VIN number, something that was on the windshield.”

Advertisement

When reached for comment, Sirius XM acknowledged the issue and provided Gizmodo with the following comment:

“A security researcher submitted a [bug bounty] report to Sirius XM’s Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”

Advertisement

Gizmodo also reached out to the affected car manufacturers for comment and will update this story if they respond.

Suffice it to say, these days it might be safer to pal around in a beat-up junker than your souped up electric vehicle. At least your 1979 Ford Pinto didn’t have hijack-able computer systems that could run you off the road.