Sirius XM vulnerability poses hacking risk for various car brands

SecurityWeek reports that several car brands could be compromised by remote attacks leveraging a vulnerability in Sirius XM's connected vehicle services, which are being used by over 12 million vehicles in North America, including those made by Acura, Honda, BMW, Jaguar, Land Rover, Nissan, Infiniti, Subaru, Toyota, Lexus, and Hyundai. Threat actors could remotely exploit a vulnerability in the NissanConnect mobile application, which was discovered by researchers led by Sam Curry, to access vehicle owners' names, phone numbers, addresses, and car details through their VIN alone, as well as perform different commands, including car location, unlocking, and startup, headlight flashing, and horn honking. Infiniti, Honda, and Acura vehicles could also be compromised using the flaw, which has already been patched by Sirius XM. Sirius XM also noted that no data has been compromised and no unauthorized modifications were done as a result of the flaw. The report of the Sirius XM vulnerability comes after Curry exposed another vulnerability that could be leveraged to control vehicle functions in Hyundai and Genesis models made after 2012. Patches have already been released for the bug.