[German]Modern vehicles are equipped with a lot of electronics and software so that they can access various functions as conveniently as possible. However, security researchers have identified serious weaknesses in vehicles from Honda, Nissan, Infiniti and Acura. In the U.S., the vehicle number (VIN) visible in the windshield is sufficient to crack such vehicles remotely, open them and then drive off with them.
Advertising
I had already seen the topic on Twitter at the end of November 2022 – but there were only general hints from Sam Curry that his hack of various vehicles had succeeded. He described his findings in a series of tweets.
The background is that provider SiriusXM is arguably a leader in the Connected Car space, supplying technology for SiriusXM Remote Management to vehicle manufacturers such as Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota. SiriusXM's Connected Vehicles (CV) services are reportedly used by more than 10 million vehicles in North America, including vehicles from the aforementioned manufacturers.
The system is designed to enable a wide range of safety and convenience services, such as automatic accident notification, advanced roadside assistance, remote door unlock, remote engine start, stolen vehicle recovery assistance, turn-by-turn navigation, and smart home device integration.
Vulnerabilities in their systems therefore impact entire vehicle fleets. Security researchers noticed that SiriusXM also mentioned the Nissan Connect app for accessing vehicles. This gave the security researchers the idea to analyze the communication of this app. When analyzing the app's communication, the vehicle identification number (VIN) was found in the HTTP messages.
Advertising
After some probing, an authorization vulnerability was found in a telematics program. The vulnerability allowed security researchers to retrieve a victim's personal data and execute commands on the vehicles. This required sending a specially crafted HTTP request with the vehicle identification number (VIN) to a SiriusXM endpoint ("telematics.net"). The Hacker News broke the findings down in more detail in an article.
Security researcher Curry also pointed out another vulnerability affecting Hyundai and Genesis vehicles. This one could be abused to remotely control the locks, engines, headlights and trunks of vehicles manufactured after 2012 using registered email addresses.
SiriusXM and Hyundai have since provided patches to fix the vulnerabilities. The incident once again shows what a shaky foundation vehicle manufacturers are building their features on. The Hacker News points out that Sandia National Laboratories has summarized a number of known vulnerabilities in electric vehicle charging infrastructure. These could be exploited to skim credit card data, change prices, and even hijack an entire network of charging stations.
Similar articles:
Tesla vehicle data collection
Bluetooth Low Energy vulnerability and the Tesla car theft
Server error: Tesla vehicles could not be opened remotely
Car safety: Kia Challenge and Hyundai Key found on the web
Honda and Acura also had a Year 2K22 bug
Software: Our grave as future car owners?
Security incident: Source Code for Mercedes OLU leaked
Mercedes USA offers "Acceleration increase" package for EQ models only with $1200 annual subscription
Advertising