Published: February 27, 2023 on our newsletter Security Fraud News & Alerts Newsletter.
At a time when “smart” technology and cars have united, it may be no surprise certain software flaws are making smart cars appealing to cybercriminals. That’s a problem that Sirius XM faced when a bug bounty hunter found flaws with their Connected Vehicle Services. The results included vulnerabilities allowing smart car locks to be opened and ignitions started from a remote location. Smart car owners using Sirius XM services should be concerned, so read on to learn more about this troubling software bug.
Many companies relying on software for their products participate in a bug bounty hunter program for finding system flaws needing a fix. Through this program, Sirius XM learned their connected vehicle services had flaws affecting car companies Honda, Jaguar, Acura, Hyundai, BMW, Infiniti, Subaru, Lexus, Toyota, Nissan, and Land Rover.
Uh-Oh…
Using the vehicle VIN number easily visible on most car dashboards, attackers could remotely locate the vehicle, open door locks, start the ignition, honk the horn and flash the lights on connected cars. Car owner profiles were also accessed, potentially putting personally identifiable information (PII) at risk.
Looking to find the common denominator among the many different car manufacturers having the same exploits in common, it was discovered those connected to Sirius XM telematic services were affected. Although Sirius XM patched the flaws, software bugs affecting vehicles have been exploited for well over a decade. Ever since technology began being used in vehicles, flaws ranging from the mundane to potentially life-threatening have been found.
What to Do
Make sure all your apps, in this case Sirius XM, are always updated as soon as humanly possible. They should have the latest version available, as well as up-to-date patch fixes. Software companies continually fix flaws they find in their programs, including those revealed by bug bounty hunters. Any device not updated, including cars, is open to exploitation by bad actors. So, don’t wait to update. And it’s always a smart choice to change your passwords when something like this happens. Even if there is no notification that it was stolen, it takes a minute and can save a lot of head and heartache. We're serious.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com