Last month, we wrote about how security researchers found (since closed) vulnerabilities in Hyundai’s mobile app that allowed potential attackers to access victim Hyundai cars. Those same researchers found a similar and arguably easier-to-exploit opening in an unexpected source: SiriusXM. While best known for their satellite radio service, SiriusXM spun off to provide connected vehicle services. And it turns out that technology forms the backbone of numerous connected vehicle apps in use today.
Once again, the researchers started by intercepting API traffic from a Nissan they were using for testing purposes. Through trial and error, they discovered that it was possible to send HTTP requests through the API without proper authorization with only the VIN (vehicle identification number, displayed on the windshield in most cars). This returned the car's and owner's information while also granting access to the commands found on the connected vehicle app, such as starting and stopping the engine and unlocking the doors.
In short, as with the Hyundai vulnerability, all that was needed to get into the car was a simple, relatively easy-to-find piece of information. Unlike Hyundai’s email address problem, the VIN is staring right back at you if you’re looking at a car you’re interested in stealing. And while it may seem somewhat outlandish imagining a car thief standing by a target intercepting API data, all it takes is one person to discover and disseminate a procedure whereby a potential attacker can just use the VIN and their mobile device to get in. And with car theft seeing a small uptick (at least in the United States) over the last few years, these concerns are relevant.
Ultimately, just like with the Hyundai instance, the risk of breach appears mostly mitigated. The researchers found it, alerted Sirius, and a fix was implemented almost immediately. But with the wellbeing of 12 million cars at stake, the next vulnerability might be less benevolent.