Bug in Honda, Nissan, Toyota Cars App Let Hackers Unlock & Start The Car Remotely

A critical vulnerability uncovered in Honda, Nissan, Infiniti, and Acura vehicle apps lets hackers and law enforcement agencies unlock the car remotely and start the vehicle with a laptop from anywhere in the world.

The critical bug exists in SiriusXM, a connected vehicle platform that offers services to services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.

During routine research, Sam Curry, a Web application security researcher, and his team found a critical vulnerability in the connected vehicle’s remote management service that has enrolled with SiriusXM mobile apps.

The research has not only highlighted how one vulnerability could have a physical effect on a huge number of cars but also how much personal data can be retrieved from a vehicle.

By only having the VIN number, any attackers can fetch the customer details with the help of a python script and a continuous escalation lead researchers to find the HTTP request to run vehicle commands.

Eventually, at this point, attackers will access customer information and run vehicle commands to unlock the vehicle and start the car remotely.

Researchers have successfully tested this bug on Honda, Infiniti, and Acura vehicles in addition to Nissan vehicles and reported the issue to SiriusXM who fixed it immediately.