A bizarre SiriusXM code flaw could unlock your smart vehicle. You should however know that the flaw has now been fixed and with that being said, it is advisable that you update now.
A Bizarre SiriusXM Code Flaw Could Unlock Your Smart Vehicle
A coding flaw that lets criminals steal cars over the internet has now been fixed as per multiple reports, with owners all over the world urged to immediately update their systems.
The flaw as you should know was found in Connected Vehicle Services which is a software suite that offers a slew of features like automatic crash notifications, remote door unlocking, enhanced roadside assistance, remote start, turn-by-turn navigation, stolen vehicle recovery assistance, and integration with smart home devices.
SiriusXM Built Connected Vehicle Services
SiriusXM is the software and firm that built Connected Vehicle Services and it is used by a host of automakers and this is including the likes of Honda, Nissan, Acura, and Infiniti, and of course all of which were vulnerable.
The reported flaw was made public by security researcher Sam Curry of Yuga Labs who has a history of finding and locating security flaws in automobiles. Curry in a Twitter thread how the flaw works and also added that SiriusXM has already fixed it.
The issue apparently stemmed from the fact that the telematics platform makes use of the car’s Vehicle Identification Number (VIN), which often is found on the windshield in authorizing commands and grabbing user profiles.
What Does This Mean?
This simply means that whoever knows the VIN number can remotely issue a host of commands ranging from unlocking the doors to even starting the engine.
The company’s spokesperson responding to the findings in The Register said that SiriusXM was tipped off through its bounty-hunting program.
The Company’s Response to the Findings
“We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms,” the statement cites.
“As part of this work, a security researcher submitted a report to Sirius XM’s Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”