Car thefts are an unfortunate and ongoing problem. According to the National Insurance Crime Bureau, nearly half a million vehicles were stolen in the first half of 2022, up 25 percent compared to the same period in 2019.
Of all the ways to steal a car, a backdoor in your satellite radio provider’s code seems fairly unlikely but that’s exactly what Sam Curry, a security engineer at Yuga Labs, found.
Last week Curry posted a lengthy Twitter thread describing how he and his team discovered and exploited a vulnerability in SiriusXM’s code. The company may be best known as a satellite radio provider but it also provides connected vehicle services for several large automakers including Acura, BMW, Jaguar, Honda, Lexus, Nissan, Subaru and Toyota.
Curry’s team did a lot of digging and eventually found a way to execute remote commands like unlock and start, and only needed a vehicle’s VIN number, which is often visible on the windshield, to get in.
The good news is that the issue was reported immediately to SiriusXM, which fixed the problem right away. The company told The Verge that the problem “was resolved within 24 hours after the report was submitted” and that “at no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.” The bad news is that such a glaring and dangerous hole in the code was there in the first place.
Had the problem not been caught by Curry and his team and resolved so quickly by SiriusXM, it could have caused widespread issues. SiriusXM says there are more than 12 million active vehicles on the road using its connected vehicle services. Instead, it’s just a lesson that sometimes, as things get smarter, dumb mistakes can present serious problems.