Sam Curry could lock, unlock, and remotely start affected vehicles.
一个cybersecurity expert has uncovered a vulnerability in connected vehicles from popular brands like Honda, Acura, Infiniti, and Nissan.
Sam Curry, a well-known bug bounty hunter, could remotely start engines, operate door locks, and, shockingly, locate vehicles. He took to Twitter to explain how this shocking flaw was uncovered - and it's got to do with SiriusXM Connected Vehicle Services.
The company enables manufacturers to offer consumers remote functionality. However, the platform's data exchange utilizes the VIN to authorize remote instructions. The risks are plain to see: A motivated hacker with enough knowledge could target unassuming individuals by unlocking the vehicle, starting the engine, and getting a fellow criminal to drive off with the car.
This would be entirely possible, as Curry's assessment also showed it was possible to get hold of private information, like home addresses. He wrote, "We took the authorization bearer and used it in an HTTP request to fetch the user profile. It worked!"
"The response contained the victim's name, phone number, address, and car details. At this point, we made a simple python script to fetch the customer details of any VIN number," added Curry.
Curry was only able to find this worrying vulnerability for the brands mentioned earlier but notes the service is also used by BMW, Hyundai, Jaguar, Land Rover, Lexus, and Toyota. So, if you drive aHonda Civicor a top-of-the-range Infiniti, is your vehicle at risk of being hacked? Hopefully not.
"We reported the issue to SiriusXM, who fixed it immediately and validated their patch," concluded Curry.
一个spokesperson from SiriusXM Connect Vehicle Services said, "we take the security of our customers' accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. A security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program."
"The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method," he added.
Connected cars provide owners with more convenience, which is lovely, but some risks come with this technology. Earlier this year, hackers were able to remotely start Honda vehiclesby exploiting the keyless-entry system.
Simply transmitting the correct authentication codes between the key fob and the car enables the hacker to start the vehicle and, theoretically, drive away with it. Similarly, a German security expert purported to have remotecontrol over no less than 25 Teslas. The ethical hacker claimed he could open the doors and windows, check the vehicle's location, and even disable the Sentry Mode feature.
This increase in hacking attempts and obvious vulnerabilities has led the NHTSAto release new guidelines on vehicle cybersecurity. "Cybersecurity needs to be a top priority for every automaker, developer, and operator," said a representative at the time.
一个cura
一个lfa Romeo
一个ston Martin
一个udi
一个utomobili Pininfarina
Bentley
BMW
Bollinger
BrightDrop
Bugatti
Buick
Cadillac
Caterham
Chevrolet
Chrysler
Dodge
Ferrari
Fiat
Fisker
Ford
Genesis
GMC
Gordon Murray Automotive
亨尼西
Honda
Hyundai
Ineos Automotive
Infiniti
Jaguar
Jeep
Karma
Kia
Koenigsegg
Lamborghini
Land Rover
Lexus
Lincoln
Lordstown
Lotus
Lucid Motors
Maserati
Mazda
McLaren
Mercedes-Benz
Mini
Mitsubishi
Nissan
Pagani
Polestar
Porsche
Ram
Rimac
Rivian
Rolls-Royce
Spyker
斯巴鲁
Tesla
Toyota
VinFast
Volkswagen
Volvo
Join The Discussion