An exclusive Cybernews video experiment, in collaboration with security researcher Sam Curry and automotive hacker BusesCanFly, reveals an unsettling truth about how easy it is for criminals to remotely access, track, and even control your vehicle.
The video investigation, now live on Cybernews's YouTube channel, showed that it is possible to remotely unlock vehicles using just minimal data.
“We could get a full copy of someone’s location history in seconds, honk their horn, unlock their car, open their trunk, and view their cameras,” Curry, who learned the skills needed for car hacking from his career as a bug bounty hunter, shared.
You can deep dive into the exclusive investigation by watching the video below. Curry also kindly agreed to answer a few questions about himself and car hacking as a bonus for the Cybernews community.
The interview has been conducted in writing, and answers are published in full.
What first got you interested in car hacking? How did you learn the skills needed?
The first time that I became interested in car hacking was after getting hundreds of electric scooter alarms to go off at once at my friend's university. He'd been showing me the campus on these electric scooters that you could rent through an app, and we thought it'd be really funny to try and hack them. After dragging one up to his dorm room and taking it apart, we were able to proxy the requests off the scooter and found how they all communicated with each other. After a few hours, we found a vulnerability that let us trigger every alarm at once, and there was something so special about looking down at a campus at 2 or 3 in the morning with hundreds of mini car alarms going off that we wanted to see if we could do the same thing with car companies.
I'd learned the skills needed for car hacking from my career as a bug bounty hunter, someone who gets paid to find vulnerabilities in companies, which I'd known that I wanted to do since I was 15 or 16.
What types of vehicles have you tested or hacked (consumer, commercial, emergency)? Perhaps you even have an exact number of vehicles you have hacked?
The total number of vehicles we've gotten access to is probably well over 15 million. We've found ways to remotely track, unlock, lock, start, and stop pretty much everything from normal consumer cars to police vehicles, ambulances, and large commercial fleets like semi trucks, by targeting the backend telematics systems they all rely on. On the consumer side this included major automakers like Kia, Hyundai, Genesis, Honda, Nissan, Infiniti, Acura, Subaru, BMW, Rolls-Royce, Ferrari, Mercedes-Benz, Ford, Porsche, Toyota, Jaguar, and Land Rover, with real impact ranging from live and historical GPS tracking to remote commands, account takeovers, and access to sensitive customer data using things like VINs, license plates, emails, or basic personal details. On the commercial and government side, the same kinds of vulnerabilities gave fleet-level control over business vehicles, police cars, ambulances, and semi trucks, including tracking and command execution at scale. Because this work focused on centralized infrastructure rather than individual vehicles, entire fleets and customer populations were in scope, with single platforms affecting over 15 million vehicles and, overall, tens of millions globally.
Are certain brands or systems more commonly vulnerable?
Certain brands are definitely easier to hack. It's one of the decisions that I think people should consider when buying a new car, like picking out a phone carrier based on how many times a year they get hacked.
How long does it take to hack (to connect to any) a car?
For the vulnerabilities we found in automakers, the only limitation was how slow the car was to receive the malicious commands that we sent it. We could get a full copy of someone's location history (for years) in seconds, honk their horn, unlock their car, open their trunk, and view their cameras. These things are legitimately just giant computers on wheels, and many of them suffer from really serious security vulnerabilities.
Which is easier to hack: a new “smart” car or an old (for example, a 2010) “dumb” car? Why?
The smarter the car, the easier it is to hack. If you told a hacker to try to connect a 1992 Toyota Corolla, they wouldn't be able to do anything remotely, because the functionality just doesn't exist. With new smart cars, there are phone apps, smart keys, call centers where employees have access to your personal information and the car's location – it goes on forever. We've even found really trivial things with self-driving cars, like shutting down casino valets after accidentally ordering hundreds of self-driving cars to a single location.
Is there a car you wouldn’t drive, due to low security?
I'm not a huge fan of riding in older Teslas. Anything before 2014 isn't something that I am happy to get into.
You mentioned working with manufacturers. How do they react when you report the issues?
It's really easy to work with manufacturers because they are all starting to understand that it's in everyone's shared interest to improve the security of these vehicles. We recently went to a Senate hearing on car security, and everyone there seemed really eager to make sure that these things were actually audited to prevent any sort of hack that could lead to someone dying.
What can a hacker access through my car that I don’t even know is connected? My home garage? My phone contacts? My location history?
All of the above, and more. When you buy a car, you typically agree to share your data with some third party like SiriusXM, which then has your billing information, address, access to your car's radio, and more. The manufacturer also gets your data when you sign up for an account, which ties to your car, and then your car kind of exists to collect as much data on you as possible. Some companies will store years worth of your location history, like we saw after hacking Subaru, where I was able to retrieve over two years worth of 10-meter precise driving history of my mom's Impreza knowing only her license plate, or email address, or phone number, or even just first and last name (this search criteria was available on the Subaru administration page that we hacked).
What’s the scariest car vulnerability you’ve discovered that automakers didn’t want to fix, and is it still on the road today?
Nothing that I'd want to disclose here without being fixed, but the funniest one is always going to be the Tesla charger port Flipper Zero. We didn't discover this, of course, but I think that everyone can kind of understand how funny car hacking is after buying a Flipper Zero and seeing that you can just drive around and open everyone's Tesla charging port. It's super funny.
What’s one simple thing people can do today to protect their car from being hacked?
Do not sign up for any of the online features that your car has to offer. Do not accept any trials from third parties when buying a car (for example, a free year of connected vehicle services). Sadly, I think that trying not to be affected by these things is pretty futile, because maybe one day your employer gets hacked, or the Flock camera that you drive by every day, and now all of your data is public. I'm a huge believer in privacy, but I think we are kind of hopeless right now when it comes to the right to privacy or the ability to opt out of this stuff. If you want to know something scary, we found that even if users did not agree to remotely enabled car functionality, we were able to remotely start their trial without their consent, then take photos and track their car's location. It's hard to escape from.
Your email address will not be published. Required fields are markedmarked