Auto Express

Hackers find a way to jailbreak and start cars through Sirius XM and Hyundai vulnerabilities


A white hat hacker — actually a good, ethical hacker — named Sam Curry recently discovered some security holes in new car that would allow him to remotely unlock, start, locate, flash and honk the new cars of many manufacturers.

The good news is that the exploits Curry, a security engineer at Yuga Labs, found have been patched and any unscrupulous hacker won’t be able to use them now. However, that doesn’t take away the fact that the security holes are pre-existing, posing a risk to owners of potentially affected vehicles.

firstly cheat Curry detailed – he posted detailed instructions on Twitter – used a flaw in Sirius XM Connected Vehicle service. Turns out, a lot of OEMs use Sirius XMtheir Connected Vehicle service to provide remote services for their cars. The list of manufacturers currently using this system includes Acura, BMW car, Honda’s motobike, hyundai, Infiniti, Jaguar, Landrover, Lexus, NISSAN, subaru and Toyota. With so many companies under one roof, it’s even more important to say that the roof has to be secure, because one way allows hackers to access multiple auto companies at once.

If you speak the language of computers and online security, we recommend checking out the Twitter thread from Curry just above. To greatly simplify, all Curry needs to execute the aforementioned commands in cars using the Sirius XM Connected Vehicle service is the car’s VIN. Of course, this took a lot of work to eventually achieve, the kind of work that only professionals in the field are capable of doing. Curry confirmed that his hack worked on Honda, Acura, Infiniti and Nissan vehicles, but hinted that it would also work with other manufacturers using the Sirius XM Connected Vehicle service.

We asked Sirius about this hack and the company sent us back a statement:

“We take the security of our customers’ accounts very seriously and participate in the bug bounty program to help identify and fix potential security flaws affecting our platform. As part of this work, a security researcher submitted a report to Sirius XM’s Connected Media Service about an authorization vulnerability affecting a specific telecommunications program. The issue was resolved within 24 hours after the report was submitted. No registrants or other data was compromised nor any unauthorized accounts modified using this method.”

Thankfully, this hack stems from the good side of the hacking world. Also, it’s good to see that Sirius took the vulnerability seriously, then started fixing it immediately to make sure it couldn’t be copied by any nefarious person. . However, the Sirius XM hack isn’t the only car-related exploit that Curry has tackled recently. Hyundai’s car smartphone app is also in range.

Instead of attacking the problem from the larger umbrella with Sirius XM services, Curry turned his attention to Hyundai’s own mobile car app…and he found a way. This time, all Curry needs is the vehicle owner’s email address. With this information, Curry was able to write a script that unlocks access to all the vehicle commands a person can perform from your Hyundai smartphone app. Specifically, it works on Hyundai and Genesis models manufactured from 2012 and up. The model car that Curry uses is the latest generation of Hyundai Elantra. Curry can remotely control the locks, engine, horn, headlights and trunk. Similar to how to exploit Sirius XM, we recommend you to read through the Twitter thread below for all the details on how Curry hacked the app

We asked Hyundai about this hack and in return received the company’s statement:

“Hyundai worked hard with third-party consultants to investigate the targeted vulnerability as soon as researchers discovered it. Importantly, aside from the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others due to the issues. mentioned by the researchers.

“We also note that in order to use the vulnerability intentionally, the email address associated with the Hyundai specific account and vehicle as well as the specific web script used by the researchers must be known. However, Hyundai took countermeasures within days of the announcement to further enhance the safety and security of our systems.

“We appreciate our collaboration with security researchers and appreciate the support of this team.”

Similar to Sirius XM, Hyundai seems to have taken this security vulnerability seriously and has patched it to ensure it cannot be repeated. Both the Hyundai and Sirius XM-specific hacks here are examples of good bug bounty hunting by the good guys, but they’re also examples of the risks we take when we have umbrellas. I frequently connect to the internet. The convenience of being able to lock your car from halfway across the country is a treat, but it’s important to remember that if something is connected to the internet that thing can be hacked. OEMs know this and they take cybersecurity very seriously, but the threat from the bad guys out there is still huge as our vehicles become more and more integrated with online services and connected.




Source by [author_name]

news7h

News7h: Update the world's latest breaking news online of the day, breaking news, politics, society today, international mainstream news .Updated news 24/7: Entertainment, Sports...at the World everyday world. Hot news, images, video clips that are updated quickly and reliably

Related Articles

Back to top button