Sirius XM’s Connected Vehicle Services has fixed an authorization flaw that would have allowed an attacker to remotely unlock doors and start engines on connected cars knowing only the vehicle identification number (VIN).