A security researcher recently uncovered major vulnerabilities across numerous automotive manufacturers that allow unauthorized access and control of vehicles using only non-secret identifiers like VIN numbers or email addresses.

Key findings:

• Multiple manufacturers including Kia, Honda, Infiniti, Nissan, Acura, and others were affected
• Attacks could remotely:
  • Lock/unlock vehicles
  • Start/stop engines
  • Track precise location
  • Flash lights and honk horns
  • Access personal information
  • Take over accounts
  • Change vehicle ownership

The vulnerabilities stem from two main issues:

1. Using non-secret identifiers (VIN numbers, email addresses) for authentication
2. A "monoculture" where many manufacturers use the same underlying systems from suppliers

The potential impact is severe:

• Could enable ransomware attacks targeting entire vehicle fleets
• Possible terrorist or nation-state attacks disrupting transportation
• Major privacy and safety risks for individual vehicle owners

Security experts note that while automotive manufacturers focus heavily on physical safety, they lag behind in cybersecurity compared to mobile device makers. The industry needs to implement proper authentication and security controls, potentially driven by regulation or a major incident that demonstrates the risks.

Proper digital identity and authentication solutions exist but haven't been widely implemented, likely due to cost sensitivity in the automotive industry. However, the potential damage from a widespread attack far outweighs the minimal per-vehicle cost of security improvements.

Related Articles

Previous Articles