As convenient as it may be to be able to control certain features of your car using only a mobile app, you should keep in mind that with innovative technology comes the threat of hackers finding vulnerabilities in it.
As it turns out, remote car apps for several automakers giants that allow users to start, unlock, honk, and locate their car from their phones could actually be used without needing the login credentials.
Hacker, bug bounty hunter and Staff Security Engineer for Yuga Labs Sam Curry published two threads on Twitter explaining his research in which he uncovered this gaping hole in the remote car app security system of several makes including Nissan, Honda, Infiniti, and Acura vehicles.
More car hacking!
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
Here’s how we found it, and how it works: pic.twitter.com/ul3A4sT47k
— Sam Curry (@samwcyo) November 30, 2022
Curry stated that he located the vulnerability by searching for the telematic platform shared by all these companies, which is offered by SiriusXM. Otherwise known for its satellite radio functionality, SiriusXM offers a Connected Vehicle Services package to other brands as well such as BMW, Hyundai, Jaguar, Land Rover, Lexus, Subaru, and Toyota.
According to Curry, only the vehicle identification number (VIN) was needed to authorize the data exchanged through the telematics platform, allowing any person who knew the vehicle’s VIN