If you purchased a new car in the past few years, chances are good that it contains at least one embedded modem, which it uses to offer some connected services. The benefits, we’ve been told, are numerous and include convenience features like interior preheating on a cold morning, diagnostics that warn of failures before they happen, and safety features like teen driver monitoring.
In some regions, connected cars are even mandatory, as in the European Union’s eCall system. But if these systems sound like a potential security nightmare, that’s because they often are. Ars has been covering car hacks for more than a decade now, but the problem really cemented itself in the public consciousness in 2015 with the infamous Jeep hacking incident, when a pair of researchers proved they could remotely disable a Jeep Cherokee while it was being driven, via an exploit in the SUV’s infotainment system. Since then, security flaws have been found in some cars’ Wi-Fi networks, NFC keys and Bluetooth, and in third-party telematics systems.
Toward the end of 2022, a researcher named Sam Curry tested the security of various automakers and telematics systems and discovered security holes and vulnerabilities seemingly wherever he looked. Curry decided to explore the potential holes in the auto industry’s digital infrastructure when he was visiting the University of Maryland last fall after playing around with an electric scooter’s app and discovering that he could turn on the horns and headlights across the entire fleet. After reporting the vulnerability to the scooter company, Curry and his colleagues turned their attention to larger vehicles.
We brainstormed for a while and then realized that nearly every automobile manufactured in the last five years had nearly identical functionality. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.
The researchers found extensive problems with 16 OEMs, telematics services like LoJack, new digital license plates, and even Sirius XM radio.
Armed with nothing more than a vehicle identification number, the hackers were able to access the remote services for cars from Acura, Honda, Infiniti, Kia, and Nissan, including locating and unlocking the cars, starting or stopping the engines, or honking the horns. It was also possible to take over a user’s account with a VIN, and in Kia’s case, the researchers could even access live parking cameras on a vehicle.
Genesis and Hyundai vehicles were similarly exploitable, albeit with an owner’s email address instead of a VIN. Porsche vehicles were also susceptible to a telematics vulnerability that allowed Curry to locate a vehicle and send it commands.
The telematics company Spireon—which provides services like LoJack—had multiple security holes that allowed the hackers to gain “[f]ull administrator access to a company-wide administration panel with [the] ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware,” Curry said. As a proof of concept, Curry and his colleagues “invited ourselves to a random fleet account and saw that we received an invitation to administrate a US Police Department where we could track the entire police fleet,” he said.
Digital license plates recently approved for use in California were also exploitable. Curry discovered that he could gain super admin access and manage all user accounts and devices, including tracking the cars and changing the messages displayed on the e-ink license plates.