In context: Remote apps for cars are a great convenience. I love remotely starting my Subaru Legacy to allow it to warm up for a bit now that the weather is getting chilly. However, these features are not without some risk. Some are calculated. For example, you can limit the chances of car theft by not unlocking or starting the car unless you have a direct line of sight. Other threats are out of your hands, like the security of the remote app.
Those convenient remote car apps that allow you to start, unlock, honk, and even locate your car from your phone might not be as secure as you thought. Hackers figured out a way to do all those things without needing your login credentials.
The trick worked for several makes, including Acura, Honda, Infiniti, and Nissan vehicles. It might also work on BMW, Hyundai, Jaguar, Land Rover, Lexus, Subaru, and Toyota since they all use the same telematic provider. The list of cars was so broad because it seems that SiriusXM is the company handling remote services for all of these manufacturers.
More car hacking!
--- Sam Curry (@samwcyo) November 30, 2022
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
Here's how we found it, and how it works: pic.twitter.com/ul3A4sT47k
The hackers were unaware that SiriusXM was even in this line of business, as it is better known for its satellite radio functionality. However, if you own any of those makes, you are probably already aware that SiriusXM is behind your car's remote services since you have to create an account to use them.
Self-proclaimed hacker, bug bounty hunter, and Staff Security Engineer for Yuga Labs Sam Curry explained in a Twitter thread that all he and his team needed to access any driver profile was the car's vehicle identification number (VIN). This code is unique to all cars. However, it is easily accessed with a stroll through any parking lot since it is visible through the windshield on the dash of most vehicles.
It took the researchers a while to back-engineer the apps, but since SiriusXM put all its eggs in one basket, they needed only one for a proof-of-concept --- NissanConnect. They contacted someone who owned a Nissan and borrowed their credentials to dig further into the authentication process.
While exploring this avenue, we kept seeing SiriusXM referenced in source code and documentation relating to vehicle telematics.
--- Sam Curry (@samwcyo) November 30, 2022
This was super interesting to us, because we didn't know SiriusXM offered any remote vehicle management functionality, but it turns out, they do! pic.twitter.com/Thxkdkdhn4
The apps work by communicating with a domain owned by SiriusXM, not with the car manufacturer, as one would intuitively think. Through trial and error, Curry found that the only parameter that the NissanConnect app and the hosted authentication server cared about was "customerId." Changing other fields, like "vin," had no effect.
During its snooping, the team discovered that the customerId field had a "nissancust" prefix and a "Cv-Tsp" header that specified "NISSAN_17MY" for the test vehicle. If they changed either of these variables, requests failed. So they put that endpoint on the back burner and concentrated on others.
Several hours later, the researchers encountered an HTTP response that had a "vin format [that] looked eerily similar to the "nissancust" prefix from the earlier HTTP request." So they tried sending the VIN-prefixed ID as the customerId. Surprisingly, it returned a bearer token, which was something of a eureka moment. They tried using the bearer token to send a fetch request for the user profile, and it worked!
The format of the "customerId" parameter was interesting as there was a "nissancust" prefix to the identifier along with the "Cv-Tsp" header which specified "NISSAN_17MY".
--- Sam Curry (@samwcyo) November 30, 2022
When we changed either of these inputs, this request failed.
The researchers accessed various customer information via HTTP, including the victim's name, phone number, address, and car details. Using this as a framework, they created a python script to access the customer details of any VIN entered. More poking and prodding led Curry to find that he could not only view account information but also use the access to send command requests to the car.
"We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim's VIN number, something that was on the windshield," Curry tweeted. "We were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number [sic] of the car."
It returned "200 OK" and returned a bearer token! This was exciting, we were generating some token and it was indexing the arbitrary VIN as the identifier.
--- Sam Curry (@samwcyo) November 30, 2022
To make sure this wasn't related to our session JWT, we completely dropped the Authorization parameter and it still worked! pic.twitter.com/zCdCHQfCcY
Furthermore, the API calls for telematic services worked even if the user no longer had an active SiriusXM subscription. Curry also noted that he could enroll or unenroll vehicle owners from the service at will.
Don't panic if you have one of these makes and use its remote functionality. Yuga Labs contacted SiriusXM about the gaping security hole, and it immediately issued a patch before the researchers announced the vulnerability earlier this week.