In January 2023, they published the initial results of their work, an enormous collection of web vulnerabilities affecting Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, and Ferrari—all of which they had reported to the automakers. For at least half a dozen of those companies, the web bugs the group found offered at least some level of control of cars’ connected features, they wrote, just as in their latest Kia hack. Others, they say, allowed unauthorized access to data or the companies’ internal applications. Still others targeted fleet management software for emergency vehicles and could have even prevented those vehicles from starting, they believe—though they didn’t have the means to safely test out that potentially dangerous trick.
In June of this year, Curry says, he discovered that Toyota appeared to still have a similar flaw in its web portal that, in combination with a leaked dealer credential he found online, would have allowed remote control of Toyota and Lexus vehicles’ features like tracking, unlocking, honking, and ignition. He reported that vulnerability to Toyota and showed WIRED a confirmation email seeming to demonstrate that he’d been able to reassign himself control of a target Toyota’s connected features over the web. Curry didn’t film a video of that Toyota hacking technique before reporting it to Toyota, however, and the company quickly patched the bug he’d disclosed, even temporarily taking its web portal offline to prevent its exploitation.
“As a result of this investigation, Toyota promptly disabled the compromised credentials and is accelerating security enhancements of the portal, as well as temporarily disabling the portal until enhancements are complete,” a Toyota spokesperson wrote to WIRED in June.
More Smart Features, More Dumb Bugs
The extraordinary number of vulnerabilities in carmakers’ websites that allow remote control of vehicles is a direct result of companies’ push to appeal to consumers—particularly young ones—with smartphone-enabled features, says Stefan Savage, a professor of computer science at UC San Diego whose research team was the first to hack a car’s steering and brakes over the internet in 2010. “Once you have these user features tied into the phone, this cloud-connected thing, you create all this attack surface you didn’t have to worry about before,” Savage says.
Still, he says, even he is surprised at the insecurity of all the web-based code that manages those features. “It’s a little disappointing that it’s as easy to exploit as it has been,” he says.
Rivera says he’s observed firsthand in his time working in automotive cybersecurity that car companies often put more focus on “embedded” devices—digital components in non-traditional computing environments like cars—rather than web security, in part because updating those embedded devices can be far more difficult and lead to recalls. “It was clear ever since I started that there was a glaring gap between embedded security and web security in the auto industry,” Rivera says. “These two things mix together very often, but people only have experience in one or the other.”
UCSD’s Savage hopes that the Kia-hacking researchers’ work might help shift that focus. Many of the early, high-profile hacking experiments that affected cars‘ embedded systems, like the 2015 Jeep takeover and the 2010 Impala hack pulled off by Savage’s team at UCSD, persuaded automakers that they needed to better prioritize embedded cybersecurity, he says. Now car companies need to focus on web security too—even, he says, if it means making sacrifices or changes to their process.
“How do you decide, ‘We’re not going to ship the car for six months because we didn’t go through the web code?’ That’s a a tough sell,” he says. “I would like to think this kind of event causes people to look at that decision more fully.”