Hackers Show How To Unlock, Start Cars Remotely

By Sean Tucker 12/02/2022 7:51am

A car owner uses a smartphone app to unlock their carToday’s cars are more connected than ever. So…ah…um…who…exactly…can connect to them? That’s the question white hat hacker Sam Curry wants us all to ask. This week, he exposed security flaws that could let him track, unlock, and even start new cars from at least a dozen manufacturers.

The good news? The loopholes he exploited have already been closed. But the fact that a hacker had to point out the problem on Twitter for automakers to know about it is concerning.

So, for now, it’s just a cautionary tale.

But it’s an important one.

This year, we’ve seen drivers lose access to some of their cars’ features as old cell networks shut down. We’ve seen an automaker start charging subscription fees to use certain capabilities of their cars.

Cars are now devices as much as they are machines. That means we all have new security concerns.

John Wayne Movies and Smartphones

First, in case you haven’t encountered the term before, let’s explain “white hat hacker.” The hacker community – an informal network of tech security experts worldwide – divides security experiments into “white hat” and “black hat” categories.

The terms are stolen from the tropes of Western movies from Hollywood’s golden age. The good cowboys tended to wear white hats to signal to the audience that they were the good guys. The bad guys wore black. Then Sergio Leone started writing antiheroes, and…yeah, we’re a car site. Right. Back to hackers.

Black hat hackers are bad guys – hackers who seek vulnerabilities in tech security to commit crimes, sell the information, and do other nefarious deeds.

White hat hackers seek to find security problems and point them out so that companies will fix them before a black hat hacker uses them.

Curry and his team from Yuga Labs demonstrated this problem so the companies involved could fix it.

SiriusXM Is More than Radio

Most cars Curry hacked used the same technology to send and receive communications. It’s a telematics platform from SiriusXM.

It’s not unusual for different automakers to buy software or even hardware from the same companies. The well-known satellite radio company sells a telematics platform – Sirius XM Connected Vehicle Services – used by many manufacturers.

The company lists “Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota” as clients.

The system allows owners to find their cars, lock and unlock them, and even start them remotely. The hackers were able to do all of those things.

If you know the subject matter, Curry’s detailed Twitter thread on the exploit is interesting reading:

https://twitter.com/samwcyo/status/1597792097175674880?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1597792097175674880%7Ctwgr%5Ee28f39d14abd32ab95c89b6011556e51e4c83354%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.kbb.com%2Fcar-news%2Fhackers-show-how-to-unlock-start-cars-remotely%2F

Owner Info At Risk, Too

Just as concerning, Curry tweeted they were able to “fetch user information from the accounts by only knowing the victim’s VIN” – the vehicle identification number anyone can read off your car’s windshield.

For Hyundai, Curry’s team found a different vulnerability. They were able to hack into Hyundai’s smartphone app, knowing only an owner’s email address. With that, they could locate the car, lock and unlock the doors, start the engine, open the trunk, flash the lights, and honk the horn.

Companies Fixed the Flaw Immediately

Both Sirius and Hyundai said they have already closed the vulnerabilities Curry’s team of white hats warned about.

SiriusXM says, “The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”

A Hyundai spokesperson says, “Hyundai implemented countermeasures within days of notification to further enhance the safety and security of our systems.” A company investigation confirmed that “no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers.”