SiriusXM Software Flaw Lets Researchers Unlock And Start The Car Remotely

1 min read

A security flaw was discovered in SiriusXM’s connected vehicle service that made vehicles from various automakers vulnerable to hacker attacks. Automotive News state investigators can control a variety of functions, including unlocking doors and starting engines. This issue is reported to have been fixed.

The problem was initially discovered by software security researchers investigating the 2022 Hyundai Sonata Hybrid. An unspecified flaw in the computer code allowed researchers to locate the car, activate its horn, lights, lock doors, and start the engine, provided they had a vehicle identification number (VIN). Steering, acceleration, brakes and the systems needed to drive the car remotely are inaccessible.

Using this information, researchers access models from Honda, Toyota, and Nissan in the same way. Deeper investigation into the matter uncovered issues related to SiriusXM’s connected services, which offer a variety of remote assistance including automatic accident notification, vehicle monitoring and stolen vehicle recovery, geofencing, and more.

According to the SiriusXM connected services website, the company has programs with 15 OEMs, offers more than 50 connected services, and is active in more than 12 million vehicles. No automakers other than Honda, Toyota, Nissan and Hyundai were named in the report.

Once the flaw was uncovered, researchers notified SiriusXM and the automaker. In a statement to Automotive News, SiriusXM said the issue was “resolved within 24 hours of the report being submitted. No customer or other data was compromised, nor were any unauthorized accounts altered using this method.” Statements from Hyundai and Honda show no known malicious acts or compromised accounts as a result of the issue.

As wireless technology evolves in the automotive space, questions about security continue to arise. In early 2022, a 19-year-old hacker managed to gain control of a Tesla vehicle and reported the problem to Tesla. There was a somewhat notable incident in 2015 where a Jeep Cherokee was remotely hacked. However, this is not just a problem for modern connected systems. A 2019 study sheds light on how the signal from a remote key fob can be intercepted and used to unlock or start a vehicle.