Thanks to a security engineer at Yuga Labs, a Sirius XM vulnerability that could have enabled a hacker to unlock a vehicle and even start up the engine remotely has been quickly addressed and fixed.
The engineer discovered the startling security flaw when reviewing the satellite radio operation’s connected vehicle services.
Yuga Labs is an entity “shaping Web3 through storytelling, experiences and community” and Sam Curry is one of their staff security engineers. His job: to access consumer information, and then tell companies they’ve got a problem.
That’s how Curry discovered that there’s something serious wrong with Sirius XM in numerous vehicles.
From the vehicle’s GPS location and speed to turn-by-turn navigation, maintenance requirements, voice commands on a phone and call logs to text messages and other data, the connected car is now more than an ever a vessel full of personal information.
But, what’s the security concern a consumer may have? Just ask Curry, who determined that a hacker could tap into MyHonda or Nissan Connected and use Sirius XM “built infrastructure around the sending and receiving of this data.” This allowed consumers to authenticate to it using a mobile app.
Here’s the challenge to those seeking to prevent a hacker: Those using the app have accounts tied to their vehicle identification number (VIN), and this can carry out various commands while sending automobile information to the user.
That’s the problem for Curry: Sirius XM’s sue of a VIN linked with a person’s account to execute commands and send information could potentially gain access to a vehicle owner’s personal details.
There’s more. Writing November 29 on Twitter, Curry said, “At this point, we identified that it was also possible to access customer information and run vehicle commands on Honda, Infiniti, and Acura vehicles in addition to Nissan.”
Does this put Sirius XM subscribers with these vehicles in peril?
Not today. “We reported the issue to Sirius XM who fixed it immediately and validated their patch,” Curry said.
Still, Curry was able to carry out various commands after grabbing a car’s VIN — including hitting the START button, controlling the vehicle locks and lights, and even honking the horn.
Sirius XM spokesperson Lynnsey Ross told Digital Music News the security flaw was resolved within one day after Curry submitted the report. “At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method,” she told the publication.
