Early this month, researchers reported a flaw in the connected vehicle services of Sirius XM, which provides telematics and infotainment services to multiple brands like Acura, Honda, Infiniti, and Nissan. The vulnerability could have allowed malicious actors to remotely start, unlock, and locate vehicles among other commands.
Sirius XM is known for its radio and satellite services. However, it also provides lesser-known connected services to some car brands and is reportedly active in more than 12 million vehicles.
The flaw in its remote vehicle management services was reported by Sam Curry, a security researcher from Yuga Labs. Early this year, Yuga Labs had found several individual vulnerabilities affecting different car brands. In trying to learn more about the telematic solutions of these car brands, Yuga Labs came upon the flaw in Sirius XM’s services.
Curry and his colleagues learned that because of the flaw, a potential attacker would need only a vehicle’s vehicle identification number (VIN), which is visible on car windshields, in order to fetch user information and command vehicles.
Sirius XM patched this flaw almost as soon as it was reported. However, the case demonstrates the implications of supply-chain risks and the impact that such a vulnerability could leave across the industry.
How VicOne mitigates similar risks
Anomaly detection plays a key role in fending off potential exploits of flaws such as this. VicOne’s xnexus, a cloud-based extended detection and response (XDR) platform for vehicle security operation centers (VSOCs), easily detects anomalies. For example, when the system detects an abnormal API transaction sequence, the system’s alarm will automatically be triggered.
xNexus draws from decades of unique experiences in threat intelligence. VicOne has created a series of detection engines to better identify existing anomaly patterns. Thus, xNexus can detect anomalies more accurately by analyzing cross-layer data (such as vehicle telemetry with geolocation) and anomalous transactions in advance by accessing event logs between a mobile app and its back-end server.
Other risks of a vulnerable automotive supply chain
This incident also highlights other consequences of a vulnerable supply chain. For example, vulnerabilities could provide an opening for sensitive personally identifiable information (PII) to be stolen through malicious applications. A malicious actor would then be able to obtain specific information, such as a vehicle owner’s name, phone number, home address, and car details.
In our 2022 Automotive Cybersecurity Report, we found that data breaches were the most common type of cyberattack in the past two years. UN Regulation No. 155 (UN R155) highlights information breach (31.1) as an example of an incident that requires mitigation in Annex 5. Therefore, securing customer data will be among the next hurdles for automotive OEMs to consider in dealing with supply-chain risks.
In this aspect, VicOne’s end-to-end solution includes mobile app protection, integrated IVI protection, and on-board security, keeping customers’ sense of security before and after they purchase their vehicles.
To read more about VicOne solutions and automotive threats, visit our resource center.