In January 2023, they published the initial results of their work, a Huge collection of web vulnerabilities In the case of Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce and Ferrari, all of which the group reported to the automakers. In the case of at least a half-dozen of those companies, the web bugs the group found offered at least some level of control of the cars’ connected features, they wrote, as in their latest attack on Kia. Others, they say, allowed unauthorized access to the companies’ internal data or applications. Still others targeted fleet management software for emergency vehicles and might even have prevented those vehicles from starting, they believe, though they did not have the means to safely test that potentially dangerous hack.
In June of this year, Curry says, he discovered that Toyota appeared to still have a similar flaw in its web portal that, in combination with a leaked dealer credential he found on the internet, would have allowed remote control of Toyota and Lexus vehicle functions such as tracking, unlocking, horn, and ignition. He reported that vulnerability to Toyota and showed WIRED a confirmation email that appeared to show that he had been able to reassign control of a target Toyota’s connected functions over the web. However, Curry did not film a video of that Toyota hacking technique before reporting it to Toyota, and the company quickly patched the bug he had revealed, even temporarily taking its web portal offline to prevent exploitation.
“As a result of this investigation, Toyota quickly disabled the compromised credentials and is accelerating security improvements to the portal, in addition to temporarily disabling the portal until the improvements are complete,” a Toyota spokesperson wrote to WIRED in June.
More smart features, more silly mistakes
The extraordinary number of vulnerabilities on automakers’ websites that allow remote control of vehicles is a direct result of the companies’ effort to appeal to consumers, particularly young ones, with smartphone-enabled features, says Stefan Savage, a professor of computer science at the University of California, San Diego, whose research team was the first to Hacking a car’s steering and brakes via the Internet in 2010“Once you have these user roles tied to the phone, this cloud-connected device, you create this whole attack surface that you didn’t have to worry about before,” Savage says.
Still, he says, even he is surprised by the insecurity of all the web-based code that manages those functions. “It’s a little disappointing that it’s as easy to exploit as it has been,” he says.
Rivera says he’s observed firsthand during his time working in automotive cybersecurity that automotive companies often focus more on “embedded” devices — digital components in nontraditional computing environments like cars — than on web security, in part because updating those embedded devices can be much more difficult and lead to product recalls. “From the time I started, it became clear that there was a glaring gap between embedded security and web security in the automotive industry,” Rivera says. “These two things get mixed up so often, but people only have expertise in one or the other.”
UCSD’s Savage hopes the work of the researchers who hacked Kia can help change that approach. Many of the early, high-profile hacking experiments affecting cars’ embedded systems — such as the 2015 acquisition of Jeep and the 2010 hack of the Impala by Savage’s team at UCSD — convinced automakers that they needed to prioritize embedded cybersecurity better, he says. Now auto companies need to focus on web security, too — even, he says, if that means making sacrifices or changes to their processes.
“How do you decide that we’re not going to ship the car for six months because we haven’t reviewed the web code? It’s a tough decision to sell,” he says. “I’d like to think that these kinds of events make people think about that decision more carefully.”
