If you have seen the numerous TLS videos of cars being stolen very quickly you may have watch them very closely. The robbers will look at the windshield (or may have looked at the windshield earlier or in another location) to obtain the VIN number which is all they need to steal the car.
Given the recent uptick of stolen vehicles cybersecurity researchers have discovered a security vulnerability that exposes cars from Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota to remote attacks through a connected vehicle service provided by SiriusXM.
SiriusXM’s Connected Vehicles (CV) Services are said to be used by more than 10 million vehicles in North America.
The issue could be exploited to unlock, start, locate, and honk any car in an unauthorized manner just by knowing the vehicle’s vehicle identification number (VIN), which is displayed under the front window of every car.
The system is designed to enable a wide range of safety, security, and convenience services such as automatic crash notification, enhanced roadside assistance, remote door unlock, remote engine start, stolen vehicle recovery assistance, turn-by-turn navigation, and even integration with smart home devices like thermostats, alarm systems and more
A separate vulnerability affects Hyundai and Genesis to remotely control the locks, engines, headlights, and trunks of the vehicles made after 2012 by using registered email addresses.
The MyHyundai and MyGenesis can be easily hacked to get around the email validation step and seize control of a target car’s functions remotely.
SiriuxXM and Hyundai have since rolled out patches to address the flaws.
On a side note, hackers are now exploiting the infrastructure powering electric vehicle (EV) charging, to skim credit card data, alter pricing, and even hijack an entire EV charger network.