Security Expert Locates Sirius XM Bug That Allowed Vehicle Hacking

An update has resolved the bug

Sirius XM logo
The security issue has since been resolved.
Pavlo Gonchar/SOPA Images/LightRocket via Getty Images

Security expert Sam Curry’s Twitter bio includes the phrase “bug bounty hunter” — and the latest flaw he’s uncovered is a big one, which could have allowed hackers to remotely start and unlock vehicles from a host of automakers. The issue, it turned out, came with software used by Sirius XM.

In this case, it didn’t have anything to do with audio, which might be the first thing that comes to mind when Sirius XM comes to mind. Instead, the security vulnerability came from another aspect of Sirius XM’s business — their vehicle connectivity services.

Curry outlined the process of identifying the security issue in a lengthy Twitter thread, which is well worth reading.

A J.D. Power article from 2021 noted that “all car companies now offer some form of connected services” — and some third-party providers do the same. As The Verge pointed out in an article about Curry’s findings, the software flaw allowed a hacker who had a vehicle’s VIN to utilize it to carry out a number of commands, including starting the car and locking or unlocking the doors.

Thankfully, the issue has been resolved as of now. Curry notified Sirius XM of the security flaw, and the company released a software update that fixed it within 24 hours. A statement that Sirius XM made to The Verge also assured readers that the security flaw had been resolved without it ever having been taken advantage of, noting that “at no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”

The Verge’s article cites a figure of 12 million vehicles that utilize Sirius XM’s vehicle connectivity systems. All of which is a good reminder to make sure your own vehicle’s software is up to date — just to be on the safe side.

The InsideHook Newsletter.

News, advice and insights for the most interesting person in the room.