As convenient as it may be to be able to control certain features of your car using only a mobile app, you should keep in mind that with innovative technology comes the threat of hackers finding vulnerabilities in it.
As it turns out, remote car apps for several automakers giants that allow users to start, unlock, honk, and locate their car from their phones could actually be used without needing the login credentials.
Hacker, bug bounty hunter and Staff Security Engineer for Yuga Labs Sam Curry published two threads on Twitter explaining his research in which he uncovered this gaping hole in the remote car app security system of several makes including Nissan, Honda, Infiniti, and Acura vehicles.
More car hacking!
— Sam Curry (@samwcyo) November 30, 2022
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
Here’s how we found it, and how it works: pic.twitter.com/ul3A4sT47k
Curry stated that he located the vulnerability by searching for the telematic platform shared by all these companies, which is offered by SiriusXM. Otherwise known for its satellite radio functionality, SiriusXM offers a Connected Vehicle Services package to other brands as well such as BMW, Hyundai, Jaguar, Land Rover, Lexus, Subaru, and Toyota.
According to Curry, only the vehicle identification number (VIN) was needed to authorize the data exchanged through the telematics platform, allowing any person who knew the vehicle’s VIN to carry out various commands such as unlocking the door, honking, flashing the lights, or even starting the vehicle.
When Curry tested this out, he also found that he could retrieve customer details such as a customer’s name, home address, contact information, and car details using only the VIN which is visible through the windshield on the dash of most vehicles.
Furthermore, the API calls for telematic services worked even if the user no longer had an active SiriusXM subscription. Curry also noted that he could enroll or enroll vehicle owners from the service at will.
Curry was only able to confirm that this vulnerability existed for Nissan, Honda, Infiniti, and Acura vehicles and did not cover the rest of the brands linked together by the service.
On the brighter side, however, you can rest assured that your car is not affected by the vulnerability anymore. Before disclosing his findings publicly, Curry compiled a detailed report of the security vulnerability and presented it to the company.
He said that SiriusXM had used that information to immediately patch the vulnerability which means that the issue was already fixed before the news went public.
Limited Security Options
In the digital age, connected cars are becoming increasingly popular. They offer a range of benefits, from remote access to fuel consumption monitoring and more. But for car owners using apps to manage their vehicles, there are also potential security risks that need to be addressed.
The security of a vulnerable app is in the hands of its developers and owners, and only they can issue security updates and patches to fix the issue. This means users have limited and traditional options to go with. Here are a couple of steps you can take to protect your car from hackers and other cyber threats when you’re using applications.
To start with, do not share your car’s VIN numbers with unreliable third-party, make sure you use unique passwords for each app associated with your vehicle. Strong passwords that combine letters, numbers, and symbols can help protect valuable data stored in the connected cloud networks used by those apps.
Additionally, users should update their systems regularly with any new security patches released by their chosen app provider – these updates help keep hackers out of your car’s system.