Last week cyber security researcher, Sam Curry, published on Twitter that he and his team had discovered a security vulnerability in a service provided by SiriusXM Connected Vehicle Services. SiriusXM Connected Vehicle Services is a software suite offering services to connected vehicles which enable various features of convenience, security, and safety. For example, turn-by-turn navigation, enhanced roadside assistance, remote door unlocking, remote engine starting, assistance with recovering stolen vehicles, automatic crash notification, or integration with smart home devices. SiriusXM’s Connected Vehicles Services are estimated to be used by more than 10 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.
Sam Curry posted on Twitter that by only knowing the VIN (vehicle identifying number) the security flaw in SiriusXM Connected Vehicle Services enabled the group to unlock, start, locate, and honk the horn on vehicle models from carmakers Nissan, Honda, Acura, and Infiniti.
Apparently, the vulnerability was related to an authorization flaw in a telematics application that allowed attackers to remotely take control of affected vehicles and collect victims’ personal information by sending some specially crafted HTTP requests with the VIN number to a SiriusXM Connected Vehicles Services endpoint (“telematics.net”).
A little later, cybersecurity researcher Sam Curry, also detailed another separate vulnerability on Twitter, this time affecting Hyundai and Genesis cars. By looking at the API traffic and some reverse engineering of the MyHyundai and MyGenesis apps, the researchers found a way to skip the email validation step and seize control of a target car’s functions remotely. Sam Curry explained, that by using registered email addresses and adding a CRLF character at the end of it in the MyHyundai and the MyGenesis apps, remote attacks controlling the locks, engines, headlights, and trunks could be performed on vehicles made after 2012.
Both SiriusXM and Hyundai have released patches to address the flaws.
RISE Cyber Test Lab
RISE Research Institutes of Sweden AB (RISE) is a Swedish state-owned research institute, collaborating with universities, industry, and public sector has recently launched RISE Cyber Test Lab for Automotive. The Lab will enable the automotive industry to test vehicles using the latest cyber technology and the world’s most rigorous testing methods in one of Europe’s most advanced cyber security initiatives for vehicle testing, according to their website.
The Cyber Test Lab will offer a range of unprecedented insights, methods, and test beds in collaboration with world leading telecom experts and ethical hackers. The partnership will support manufacturers to build more secure connected vehicles.
“It might sound controversial, but we firmly believe working with ethical hackers is critical in testing vehicles to their limits. The ethical hackers are selected partners from our existing Cyber Range in Stockholm. This launch of the Cyber Test Lab is especially important at a time when cyber-attacks and cyber threats against infrastructure and connected technology has become a fast-growing problem around the world.”
Sweden hosts some of the world’s most well-known global automotive companies such as Scania, Volvo Trucks, Volvo Cars and Koenigsegg. Sweden is also home to some innovative new start-ups like Einride, Polestar and Volta Trucks as well as companies supplying advanced technology for connected and self-driving vehicles. Hence, the focus on the automotive industry was an obvious starting point for the Cyber Test Lab.
The RISE Cyber Test Lab will start advanced testing by the beginning of 2023. In preparation, some pilot projects are already on-going where simulated cyber-attacks on vehicles and electric vehicles charging infrastructure are being tested.
More cyber security news
Sandia National Laboratories has studied vulnerabilities of electric vehicle charging infrastructure. Review of vulnerabilities helps prioritize grid protections, informs policy makers. https://newsreleases.sandia.gov/ev_security/
FBI joins investigation into Continental ransomware attack. https://techmonitor.ai/technology/cybersecurity/continental-cyberattack-ransomware-lockbit-fbi
Written by Joakim Rosell