The security flaw affected over 12 million cars.
called attention to a spy firm that planned to sell the telematics-based location information of over 15 billion cars to the US government.
While telematics systems obtain data about your car’s GPS location, speed, turn-by-turn navigation, and maintenance requirements, certain infotainment setups might track call logs, voice commands, text messages, and more. All of this data allows vehicles to provide “smart” features, like automatic crash detection, remote engine start, stolen vehicle alerts, navigation, and the ability to remotely lock or unlock your car.
It’s this system that could give bad actors access to someone’s car, Curry explains, as Sirius XM uses the VIN number linked with a person’s account to relay information and commands between the app and its servers. By creating an HTTP request to fetch a user’s profile with the VIN, Curry says he was able to obtain the vehicle owner’s name, phone number, address, and car details.
Curry says he alerted Sirius XM of the flaw and that the company quickly patched it. In a statement to, the company said the vulnerability “was resolved within 24 hours after the report was submitted,” noting that “at no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.” Sirius XM didn’t immediately respond to