A security engineer recently uncovered security vulnerabilities in vehicles produced by four OEMs, through hacking the website of one company that manages telematics functionality for those manufacturers and seven others.
The findings seem to support the concerns raised by the Alliance for Automotive Innovation (AAI) over efforts by the aftermarket to pass “right-to-repair” initiatives that would force OEMs to standardize access to sensitive vehicle data.
Sam Curry, who works at Yuga Labs, tweeted that he and his team were able to access consumer information and execute commands on Honda, Acura, Nissan, and Infiniti vehicles, with nothing more than the vehicle identification number (VIN) visible through the windshield.
Curry said the team notified Sirius XM, the company that manages the telematics functionality, which fixed the vulnerability and validated its patch. Sirius XM says that it also provides services to BMW, Hyundai, Jaguar, Land Rover, Lexus, Subaru, and Toyota, though the team did not test those vehicles. “So many brands under one roof!” Curry tweeted.
Sirius XM has issued the following statement:
“We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. As part of this work, a security researcher submitted a report to Sirius XM’s Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”
Sirius XM Connected Vehicle Services has 15 active OEM programs, with an estimated 12 million vehicles on the road.
The service originated in the mid-1990s, when telematics were in their infancy. The company says it has “developed, launched and managed connected vehicle programs across multiple automotive brands, spanning both luxury and mass market model lines, across national borders, and across multiple model years.”
Curry describes the team’s research in the following thread:
More car hacking!
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
Here’s how we found it, and how it works: pic.twitter.com/ul3A4sT47k
— Sam Curry (@samwcyo) November 30, 2022
Curry said it did not appear to matter whether the vehicle owner’s Sirius XM subscription was active.
Security concerns have been a central theme in AAI’s legal challenge of a Massachusetts law passed by voters in 2020, which requires OEMs to equip every vehicle sold in that state that uses a telematics system with “an inter-operable, standardized and open access platform.”
AAI has maintained that the new Data Access Law would seriously hamper efforts by OEMs to keep vehicle data and vehicle systems safe, and warned that “access to that data, and to the secured vehicle systems that generate that data, could, in the wrong hands, spell disaster.”
The suit, AAI v. Maura Healey, is not yet resolved.
Section 2 of the Data Access Law provides that:
“[O]wners’ and independent repair facilities’ access to vehicle on-board diagnostic systems shall be standardized and not require any authorization by the manufacturer, directly or indirectly, unless that authorization system for access to vehicle networks and their on-board diagnostic systems is standardized across all makes and models sold in the Commonwealth and is administered by an entity unaffiliated with a manufacturer.”
AAI has warned that “creating a single entity responsible for authorization may facilitate intrusions into multiple manufacturers’ vehicles at once. This would increase cybersecurity attack surface and risk exponentially.”
In briefs filed with the U.S. District Court for the District of Massachusetts, security experts with representative OEMs General Motors and Stellantis have said the law is in conflict with good cybersecurity practices.
“…[T]he Data Access Law, as Stellantis understands and interprets it, would require removing critical cybersecurity controls from its vehicles. Stellantis cannot do this consistent with its federal safety obligations,” Stephen McKnight, head of global product cybersecurity for North American Engineering at Stellantis, told the court.
Kevin Tierney, vice president of global cybersecurity at GM, wrote that “implementing the Data Access Law would require removing various cybersecurity protections that GM has placed around safety-critical vehicle functions and emissions controls that are mandated by federal law. Indeed, certain requirements of the Data Access Law—such as its requirements that access be given to ‘vehicle networks,’ that vehicles be equipped with an ‘open access’ platform, that the platform be ‘directly accessible,’ and that this access include the ability to ‘send commands’ to in-vehicle components—are antithetical to good cybersecurity practice.”
Proponents, such as the Auto Care Association (ACA), have argued that the data access law is necessary to protect independent shops’ ability to access the OEM information needed to maintain and repair vehicles.
Critics have said that such access is already guaranteed through the memorandum of understanding between the OEMs and the aftermarket, an agreement that’s been held up as a model for other industries.
“Though I understand that the ACA pursued the ballot initiative in Massachusetts to ensure access to data from GM’’s telematics units, that data has very little to do with the diagnosis, maintenance, or repair of vehicles,” Tierney said. He said GM’s telematics service, OnStar, only transmits and receives repair data to provide firmware-over-the-air updates (FOTA), and to send diagnostic reports with information about the status of key vehicle systems, such as airbag, antilock braking, engine, emissions, and stability control systems, if the owners choose.
“Neither of these services affect vehicle owners’ ability to choose independent service providers to service their vehicles,” he wrote. “Consumers can provide those diagnostic reports to any repair technician, whether that is an independent repair shop or a GM franchise dealer.”
Featured image by IGphotography/iStock