A security flaw exposed Honda, Nissan, Infiniti, and Acura automobiles to remote attacks via SiriusXM’s connected vehicle service has been discovered by cybersecurity researchers.
The issue could be taken advantage of to open, begin, find, and blare any vehicle in an unapproved way by simply knowing the’s vehicle recognizable proof number (VIN), specialist Sam Curry said in a Twitter string a week ago.
More than 10 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, are said to use SiriusXM’s Connected Vehicles (CV) Services. Automatic crash notification, enhanced roadside assistance, remote door unlock, remote engine start, stolen vehicle recovery assistance, turn-by-turn navigation, and integration with smart home devices are just a few of the safety, security, and convenience services that the system is designed to support.
A telematics program had an authorization flaw that made it possible to send a specially crafted HTTP request with the VIN number to a SiriusXM endpoint (telematics.net) and retrieve the personal information of a victim as well as execute commands on the vehicles.
Curry also talked about a separate vulnerability that affects Hyundai and Genesis vehicles. This vulnerability allows registered email addresses to remotely control the locks, engines, headlights, and trunks of vehicles manufactured after 2012.
The researchers were able to circumvent the email validation step and gain remote control of a target car by reverse engineering the MyGenesis and MyHyundai apps and examining API traffic.
Curry explained, “We could create an account that bypassed the JWT and email parameter comparison check by adding a CRLF character at the end of an already existing victim email address during registration.”
Since then, Hyundai and SiriusXM have released patches to fix the problems.
Sandia National Laboratories summarized a number of known flaws in the infrastructure that powers electric vehicle (EV) charging. These flaws could be used to steal credit card data, alter pricing, or even hijack an entire EV charger network. The findings come as Sandia National Laboratories released their summary.