An extensive collection of web vulnerabilities affecting various car manufacturers has been unearthed by a group of researchers led by Sam Curry. In their initial publication in January 2023, they revealed the discovery of vulnerabilities affecting Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, and Ferrari. The vulnerabilities identified by the researchers provided unauthorized access to cars’ connected features while some also allowed access to internal applications of the companies. In addition, certain vulnerabilities targeted fleet management software for emergency vehicles, posing a potential threat to their functionality.
The group, led by Curry, shared that several companies were susceptible to these web bugs, granting varying degrees of control over the connected features of the vehicles. The researchers even demonstrated a successful hack on a Kia vehicle, highlighting the potential risks associated with these vulnerabilities. However, they refrained from executing certain potentially dangerous tricks due to safety concerns.
In a later discovery made in June, Curry identified a similar flaw in Toyota’s web portal that could have enabled remote control of Toyota and Lexus vehicles’ features. By combining this flaw with leaked dealer credentials found online, remote access to features such as tracking, unlocking, honking, and ignition of vehicles could have been achieved. Although Curry promptly reported this vulnerability to Toyota, showcasing evidence of the exploit through a confirmation email, the automaker took swift action to patch the bug and temporarily shut down the web portal to prevent any further exploitation.
Following the investigation, Toyota acknowledged the compromise of credentials and reiterated its commitment to enhancing security measures on the portal to prevent future vulnerabilities. This incident brought to light the need for car manufacturers to prioritize cybersecurity in web-based systems as consumer demands for smartphone-enabled features continue to rise.
Stefan Savage, a computer science professor at UC San Diego, emphasized that the surge in web vulnerabilities stems from carmakers’ efforts to integrate smartphone-connected features into their vehicles to cater to consumer preferences. However, he expressed surprise at the ease with which these vulnerabilities could be exploited, underscoring the critical need for robust cybersecurity measures in the automotive industry.
Rivera, an expert in automotive cybersecurity, noted the prevalent focus on securing embedded devices in vehicles rather than prioritizing web security, highlighting a gap in the industry’s approach to cybersecurity. The researchers’ work on identifying web vulnerabilities in vehicles like Kia serves as a wake-up call for automakers to address the existing gaps in web security and implement necessary changes to safeguard their systems.
Savage emphasized the importance of balancing embedded security with web security, urging car companies to reevaluate their processes and prioritize cybersecurity measures to mitigate potential risks. The Kia-hacking researchers’ findings are expected to prompt a shift in focus towards fortifying web security in the automotive industry, prompting companies to reconsider their strategies and allocate resources towards securing their web-based systems effectively.