A code flaw that allowed criminals to steal cars online has now been fixed, according to reports, with owners urged to update their systems immediately.
The bug was found in Connected Vehicle Services, a software suite that offers a slew of features such as automatic collision notifications, enhanced roadside assistance, remote door unlocking, remote starting, stolen vehicle recovery assistance, turn-by-turn navigation and smart home integration. hardware.
The connected vehicle services were created by SiriusXM, and are used by a slew of automakers, including Honda, Nissan, Infiniti, and Acura, all of which were vulnerable.
VIN for authorization
The flaw was exposed by Yuga Labs security researcher Sam Curry, who has a history of finding security flaws in cars. in Twitter topic (Opens in a new tab)Carey explained how the glitch works, and added that SiriusXM actually fixed it.
Apparently, the problem arose from the fact that the telematics platform uses the Vehicle Identification Number (VIN), which is often found on the windshield, to authorize commands and take over user profiles.
This means that whoever knows the VIN number can remotely issue a number of commands, from opening the doors to starting the engine.
Respond to the results in logA company spokesperson said SiriusXM received a tip-off via bounty hunt
“We take the security of our customers’ accounts very seriously and participate in a bug bounty program to help identify and patch potential security vulnerabilities affecting our platforms,” the statement read.
As part of this work, a security researcher submitted a report to Sirius XM Connected Vehicle Services regarding an authorization flaw affecting specific telematics software. The issue was resolved within 24 hours after the report was submitted. No subscriber or other data was compromised and no Any unauthorized account is modified using this method.”
Across: log (Opens in a new tab)