Bug bounty hunter Sam Curry discovered a vulnerability in the SiriusXM Connected Vehicle Services telematics platform that allowed him to remotely perform unauthorized tasks in smart cars such as unlocking, starting the engine, and even honking any remotely connected Honda, Nissan, Infiniti, and Acura vehicles.
All that the white hat hacker needed was to know the VIN of the car. The VIN number is often easily accessible by anyone who walks by any vehicle as it is often visible on the windshield or other parts of the cars. Additionally, VINs are sometimes included in data leaks – in 2017, the personal information of more than 10 million U.S. car owners was exposed in a massive leak of car vehicle identification numbers.
