Software security researchers and engineers used a flaw in a SiriusXM service to hack into Honda, Nissan and Toyota vehicles using only their VINs, which provides wider access to account information.
But for Hyundai and its sibling Genesis models, one only needs the email address, they said.
The researchers discovered the coding flaw in a hybrid 2022 Hyundai Sonata in September and found they could remotely unlock, start, locate, flash and honk the horn in the car. They used the same methodology to crack into Honda, Nissan and Toyota models.
As these researchers and engineers explored the back end of these smartphone applications, they kept seeing SiriusXM, a company known for its satellite and online radio services, referenced in the code and documentation related to these vehicles' onboard systems.
During their research, they found that the domain "http://telematics.net" handled the services for enrolling cars in SiriusXM Connected Vehicle Services, a subsidiary that provides automatic crash notifications, roadside assistance, remote door unlock, remote start and stolen vehicle recovery for vehicle owners.
"This was interesting to us because we didn't know SiriusXM offered remote vehicle management functionality, but it turns out they do," said Sam Curry, an Omaha, Neb.-based security engineer.
The group reached out to Hyundai and SiriusXM to inform them of the vulnerabilities, Curry added.
The automakers and SiriusXM Radio said they were aware of the problem and have resolved the issue.
While the group could hack many features, they could not control any driving functions, Curry said.
"But you could start it (the car) in someone's garage," he said.