A code flaw that allowed criminals to steal cars over the internet has now been fixed, according to reports, urging owners to immediately update their systems.
The flaw was found in Connected Vehicle Services, a software suite that offers a slew of features such as automatic crash notifications, enhanced roadside assistance, remote door unlocking, remote starting, stolen vehicle recovery assistance, turn-by-turn navigation, and integration with smart home devices.
Built by SiriusXM, Connected Vehicle Services is used by a variety of automakers, including Honda, Nissan, Infiniti, and Acura, all of which were vulnerable.
VIN for authorization
The flaw was made public by Yuga Labs security researcher Sam Curry, who has a history of finding security flaws in cars. In a Twitter thread (opens in new tab)Curry explained how the bug works and added that SiriusXM had already fixed it.
Apparently, the problem stemmed from the fact that the telematics platform uses the vehicle’s vehicle identification number (VIN), often found on the windshield, to authorize commands and obtain user profiles.
This means that anyone who knows the VIN number can remotely issue a number of commands, from unlocking the doors to starting the engine.
Responding to the findings The registerthe company spokesperson said SiriusXM was tipped off through its bounty hunting program
“We take the security of our customers’ accounts seriously and are participating in a bug bounty program to help identify and correct potential security flaws affecting our platforms,” the statement read.
“As part of this work, a security researcher submitted a report to Sirius XM’s Connected Vehicle Services about an authorization error affecting a specific telematics program. The issue was resolved within 24 hours of submitting the report. At no time has a subscriber or other data been compromised, nor has an unauthorized account been modified using this method.”
Through: The register (opens in new tab)