A white hat hacker — this is essentially a good guy, ethical hacker — named Sam Curry recently uncovered some security vulnerabilities in new cars that would allow him to remotely unlock, start, locate, flash, and honk new cars from numerous manufacturers.
The good news is that the exploits Curry, a security engineer at Yuga Labs, found are already patched, and any unethical hackers wouldn’t be able to use them now. However, that doesn’t take anything away from the fact that security cracks were there beforehand, presenting a risk to those who owned potentially affected cars.
The first hack Curry detailed — he posted detailed walkthroughs on Twitter — used a vulnerability in Sirius XM’s Connected Vehicle services. Turns out, a lot of OEMs use Sirius XM’s Connected Vehicle services to provide remote services to their cars. The list of manufacturers currently using this system includes Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Nissan and Subaru. With so many companies under one roof, it’s all the more important that said roof be secure, because one way in allows a hacker access to multiple car companies at once.
More car hacking!
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
Here’s how we found it, and how it works: pic.twitter.com/ul3A4sT47k
— Sam Curry (@samwcyo)
November 30, 2022
If you speak the language of computers and online security, we recommend you take a look through the Twitter thread from Curry just above. To greatly simplify it, all Curry needed to execute the aforementioned commands on cars using Sirius XM Connected Vehicles services was the VIN of the car. Of course, this took a lot of work to finally get to, the sort of work only experts in this field would be capable of. Curry confirmed that his hack worked on Honda, Acura, Infiniti and Nissan vehicles, but suggested it would also work with the other manufacturers using Sirius XM Connected Vehicles services, too.
We queried Sirius about this hacking activity, and the company sent us a statement in return:
“We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. As part of this work, a security researcher submitted a report to Sirius XM’s Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”
Thankfully, this hack originated from the good side of the hacking world. Also, it’s good to see that Sirius took the security flaw seriously, then went to work remedying the issue right away to ensure it couldn’t be replicated by any nefarious actors. Hacking Sirius XM wasn’t the only car-related exploit Curry tackled as of late, though. Hyundai’s vehicle smartphone app was also under the scope.
Instead of attacking the problem from the bigger umbrella with Sirius XM’s services, Curry directed his attention to the Hyundai mobile vehicle app itself … and he found a way in. This time, all Curry needed was the email address of the vehicle owner. With this information, Curry was able to write a script that would unlock access to all the vehicle commands one might be able to execute from your Hyundai smartphone app. Specifically, it worked on Hyundai and Genesis models made from 2012 or newer. The example car that Curry used is the latest generation of the Hyundai Elantra. Curry was able to remotely control the locks, engine, horn, headlights, and trunk. Similar to the Sirius XM exploit, we’d suggest reading through the below Twitter thread to get all the details on how Curry went about hacking the app
We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.
— Sam Curry (@samwcyo)
November 29, 2022
We asked Hyundai about this hacking activity tand received a company statement in return:
“Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention. Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers.
“We also note that in order to employ the purported vulnerability, the e-mail address associated with the specific Hyundai account and vehicle as well as the specific web-script employed by the researchers were required to be known. Nevertheless, Hyundai implemented countermeasures within days of notification to further enhance the safety and security of our systems.
“We value our collaboration with security researchers and appreciate this team’s assistance.”
Similar to Sirius XM, Hyundai looks to have taken the security flaw seriously and patched it to ensure this can’t be replicated. Both the Hyundai-specific and Sirius XM hacks here are examples of good bug bounty hunting by good actors, but they also serve as examples of the risks we’re exposed to by having cars that are constantly connected to the internet. The convenience of being able to lock your car from halfway across the country is a nice one, but it’s important to remember that if something is connected to the internet, it’s hackable. OEMs know this, and they treat cybersecurity very seriously, but the threat of bad actors out there still looms large as our vehicles become more and more intertwined with online and connected services.
Update: Toyota and Lexus, after working with Sirius XM, have determined that its vehicles were not impacted by the vulnerability due to Toyota’s “architecture and integration patterns” with Sirius XM Connected Services. As such, Toyota and Lexus have been removed from the list of affected vehicles the hackers claimed to have had access to.