In January 2023, they published the initial results of their research: a vast collection of web vulnerabilities affecting Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls-Royce, and Ferrari, which they reported to the automakers. For at least a half-dozen of those companies, they wrote, the web bugs they found allowed them to gain some control over the cars’ connected features, as in the latest Kia hack. Other bugs allowed unauthorized access to data or the companies’ internal applications, they said. Still other bugs targeted the fleet management software of emergency vehicles, and could even prevent those vehicles from starting, they believe, but they had no way to safely test that potentially dangerous trick.
Curry says he discovered a similar flaw in Toyota’s web portal in June that, when combined with dealer credentials he found online, could allow remote control of Toyota and Lexus vehicle functions, including tracking, unlocking, horn, and ignition. He reported the vulnerability to Toyota and showed WIRED a confirmation email showing that he had successfully reassigned control of the target Toyota’s connected functions to himself over the web. But Curry didn’t film a video of the Toyota hack before reporting it to Toyota, and Toyota quickly fixed the bug he uncovered and even temporarily took the web portal offline to prevent abuse.
“As a result of this investigation, Toyota immediately disabled the compromised credentials, accelerated efforts to harden the portal’s security, and has temporarily disabled the portal until those efforts are complete,” a Toyota spokesperson wrote to WIRED in June.
Smarter Features, Stupid Bugs
The surprising number of vulnerabilities on automaker websites that allow users to remotely control vehicles is a result of companies trying to appeal to consumers, especially young people, with smartphone-enabled features, says Stephen Savage, a computer science professor at the University of California, San Diego, whose team was the first to hack a car’s steering and braking over the internet in 2010. “When you combine these user capabilities with a phone, something that’s connected to the cloud, it creates a whole attack surface that you didn’t have to worry about before,” Savage says.
Still, he says he was surprised at just how insecure the web-based code that governs these features is: “It’s a bit disappointing that it can be exploited as easily as it has been,” he says.
Rivera says that during his time working in automotive cybersecurity, he saw firsthand that car companies focused more on “embedded” devices — the digital components of a non-traditional computing environment like a car — than on web security, because embedded devices are much more difficult to update and can lead to recalls. “It was clear from the time I started in the business that there was a clear gap between embedded security and web security in the automotive industry,” Rivera says. “The two are often mixed together, but people only have experience with one or the other.”
Savage, at UCSD, hopes that the work of the Kia hacking researchers might help change that focus. Many of the earlier high-profile hacking experiments that affected cars’ embedded systems, such as the 2015 Jeep hijack and the 2010 Impala hack carried out by Savage’s team at UCSD, convinced automakers that they needed to make embedded cybersecurity a higher priority, he says. Now, he says, car companies need to focus on web security, too, even if that means making sacrifices or changing processes.
“How do you decide, ‘We’re not going to ship cars for six months because we didn’t check the web code?’ It’s a difficult decision,” he said. “I hope that something like this will make people think more deeply about that decision.”
