In January 2023, a significant investigation uncovered a vast array of web vulnerabilities impacting several major automotive manufacturers, including Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, and Ferrari. This extensive research culminated in an alarming report detailing how the identified flaws, reported directly to the affected companies, could enable unauthorized control of the connected features in vehicles from at least half a dozen of these manufacturers. The vulnerabilities ranged from allowing unauthorized data access to facilitating interactions with internal applications, and in some cases, they targeted fleet management systems for emergency vehicles. Researchers indicated that these capabilities could even prevent emergency vehicles from starting, although they refrained from testing this potentially hazardous functionality due to safety concerns.
By June 2023, the vulnerabilities in the automotive sector had drawn heightened scrutiny. Cybersecurity researcher Sam Curry revealed that Toyota still suffered from a similar weakness in its web portal. This flaw, when coupled with leaked dealer credentials found online, posed severe risks, granting potential remote access to numerous features in both Toyota and Lexus vehicles—such as tracking, unlocking, honking, and ignition systems. After disclosing this vulnerability to Toyota, Curry provided documentation to WIRED confirming his ability to reassign control over a targeted vehicle’s connected features via the web. However, he did not record the demonstration before reporting it, and the automaker swiftly addressed the issue, temporarily disabling its web portal to prevent exploitation while implementing necessary security enhancements.
The immediate response from Toyota included disabling the compromised credentials and expediting ongoing security improvements to the affected portal. A spokesperson for Toyota indicated these actions were taken to ensure a more secure environment for users.
The proliferation of vulnerabilities like those identified in the car manufacturing sector can be largely attributed to the industry’s drive to attract consumers, particularly younger demographics, by offering smartphone-enabled features. Stefan Savage, a professor of computer science at UC San Diego, notes that integrating vehicle features with mobile technology creates an expansive attack surface that was previously absent. This has become increasingly problematic as user expectations evolve alongside technological advancements, making vehicles more interconnected and vulnerable to cyber incidents.
From a cybersecurity perspective, this scenario highlights potential adversary tactics identified within the MITRE ATT&CK framework, especially concerning initial access and privilege escalation techniques. The initial access to the systems may have been facilitated through leaked credentials, while the attack surface created by the integration of smartphone applications and web portals significantly elevated the risk of privilege escalation. The vulnerabilities are not only a reflection of the technical infrastructure but also present a growing challenge as automotive companies rapidly adapt to technological changes.
As the industry continues to innovate, understanding and addressing these vulnerabilities will be critical for maintaining consumer trust and safeguarding sensitive data. Business leaders within the automotive sector must remain vigilant and proactive in enhancing their cybersecurity measures, as the risks associated with connected vehicles will only increase as technology progresses.
