A vulnerability in the connected vehicle services could have allowed hackers to start, lock,unlock, locate, flash the lights, and horn the car. Sam Curry, a security engineer at Yuga Labs, worked with a group of security researchers to discover a flaw in the software they were working on.
In addition to providing a satellite radio subscription, the company also powers the in-car systems used by a number of auto manufacturers. These systems collect a lot of information about your car, which could pose privacy concerns. Vice reported last year that a spy firm was planning to sell the location information of over 15 billion cars to the US government.
Information about your car's gps location, speed, turn-by-turn navigation, and maintenance requirements can be obtained by the systems. Automatic crash detection, remote engine start, stolen vehicle alert, navigation, and the ability to remotely lock orunlock your car are just a few of the smart features provided by this data. Over 12 million vehicles on the road use its connected vehicle systems, according to the company.
Curry shows that bad actors can take advantage of this system if proper safeguards aren't in place. Curry said in a statement that the company built infrastructure around the sending and receiving of the data and allowed customers to use a mobile app toauthenticate to it. Users can use their accounts on these apps to execute commands and get information about their cars.
Curry points out that the system could give bad actors access to someone's car as the system uses the person's account to relay information and commands between the app and its server. Curry says he was able to get the vehicle owner's name, phone number, address, and car details by fetching a user's profile with the VIN. He was able to remotely control the vehicle, lock it, start it, and perform other functions after trying to execute commands using the VIN.
Curry says he told the company about the flaw and they fixed it. The company said in a statement that the vulnerability was fixed within 24 hours after it was reported. The company didn't reply to the request for comment.
Curry discovered a flaw in the MyHyundai and MyGenesis apps that could allow hackers to remotely hijack a vehicle, but he worked with the manufacturer to fix the issue. Similar exploits have been found in the past. An OnStar hack that could have let bad actors locate a vehicle remotely, unlocked its doors, or started the car was discovered in 2015. The Jeep Cherokee could be remotely hacked and controlled with someone at the wheel.