In January 2023, they published the first results of their work, a large collection of web vulnerabilities affecting Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, and Ferrari — everything they do. it had reported to the car makers. At least half a dozen of those companies, the web bugs the group found offer at least some level of control over the connected features of cars, they wrote, just like in their recent Kia hack. Others, they say, have allowed unauthorized access to data or internal applications of companies. Still others had targeted emergency vehicle management software and could have prevented those vehicles from starting, they believed—though they had no way to safely test such a potentially dangerous tactic.
In June of this year, Curry says, he discovered that Toyota appears to have a similar flaw in a website, including leaked sales information he found online, that would allow remote control of Toyota and Lexus vehicles such as tracking, unlocking, honking, and ignition. He reported that vulnerability to Toyota and showed WIRED a confirmation email that appears to show he was able to reassign control of Toyota’s connected features that he targeted on the web. Curry did not record a video of the Toyota hack before reporting it to Toyota, however, the company quickly covered up the bug he had revealed, even temporarily taking down its website to prevent it from being exploited.
“As a result of this investigation, Toyota immediately deleted the compromised information and is accelerating security improvements to the site, as well as shutting down the site temporarily until the improvements are completed,” a Toyota spokesperson told WIRED in June.
More Smart Features, More Dumb Bugs
The staggering number of vulnerabilities on automakers’ websites that allow remote control of cars is a direct result of companies’ pressure to attract consumers—especially young ones—with smartphone-enabled features, said Stefan Savage, a professor of computer science at UC San. Diego and his research team were the first to hack a car’s steering and brakes online in 2010. don’t worry before,” said Savage.
Still, he says, even he is surprised by the insecurity of all the web-based code that controls those features. “It’s disappointing that it’s as easy to use as it was,” he says.
Rivera says he’s seen firsthand in his time working in automotive cybersecurity that auto companies tend to focus more on “embedded” devices—digital components in non-traditional computing environments like cars—rather than web security, in part because updating those embedded devices can be more difficult and lead to recalls. “It’s been clear since I started that there is a huge gap between embedded security and web security in the automotive industry,” said Rivera. “These two things often come together, but people only have knowledge of one or the other.”
UCSD’s Savage hopes the work of the Kia-hacking researchers can help change that focus. Several high-profile hacking tests that affected automotive embedded systems, such as the 2015 Jeep takeover and the 2010 Impala hack by Savage’s team at UCSD, convinced automakers that they need to better prioritize embedded cybersecurity, he said. Now car companies need to focus on web security too—even, he says, if it means making sacrifices or changes to their processes.
“How do you decide, ‘We can’t ship a car for six months because we didn’t test the web code?’ That is a hard sell,” he said. “I like to think that this kind of event causes people to look at that decision more fully.”