As cars have evolved into software-driven machines, their connectivity and complexity have introduced significant cybersecurity challenges. Features like infotainment systems, over-the-air (OTA) updates, and advanced diagnostics have made modern vehicles more convenient but also more vulnerable to cyberattacks. For over a decade, cybersecurity researchers have identified and exposed critical vulnerabilities in vehicles. Their work has led to recalls, new security standards, and improved design practices, driving automakers to prioritize security. This article explores some of the most notable automotive hacks, showcasing how these breakthroughs reshaped the industry and strengthened the safety of connected vehicles.
Laying the Foundations of Automotive Security
1. Koscher et al.: Experimental Security Analysis of a Modern Automobile (2010)
Koscher and his team pioneered automotive cybersecurity with their groundbreaking study. Their research involved injecting malicious messages into a car’s Controller Area Network (CAN) to manipulate vehicle functions, including braking, acceleration, and engine control. What made their work especially impactful was the ability to perform these manipulations remotely, raising concerns about real-world threats. By using techniques such as reverse engineering ECUs, they demonstrated how insecure vehicle architectures left cars vulnerable to cyberattacks.
Impact: Koscher’s findings underscored the importance of secure software and networks in modern vehicles, pushing the automotive industry to prioritize cybersecurity.
Source: Karl Koscher et al. Experimental Security Analysis of a Modern Automobile (2010). IEEE Symposium on Security and Privacy, volume 447-462. Link
2. Checkoway et al.: Comprehensive Experimental Analysis of Automotive Attack Surfaces (2011)
Following Koscher’s research, Checkoway et al. expanded on this work by examining multiple attack vectors, including Bluetooth, CD players, and telematics units. They explored how external signals, such as malicious audio files or compromised smartphones, could infiltrate vehicle systems. This study was among the first to show how seemingly benign systems like infotainment could serve as entry points for attackers.
Impact: This research revealed the breadth of vulnerabilities in modern vehicles and highlighted the need for end-to-end security testing during vehicle design.
Source: Stephen Checkoway et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces (2011). Proceedings of the 20th USENIX Conference on Security, SEC’11, 1–6. USENIX Association. Link
Shocking Industry Vulnerabilities
3. Dieter Spaar: Beemer, Open Thyself! (2015)
Spaar’s deep dive into BMW’s ConnectedDrive system exposed a critical vulnerability in its communication protocol (NGTP). By exploiting the insecure transmission of cryptographic keys, he demonstrated how attackers could remotely unlock vehicles. This hack was performed via the cellular network and did not require physical access to the vehicle. Spaar’s work illustrated the risks of weak encryption and poor implementation of cryptographic protocols in connected car systems.
Impact: BMW responded swiftly by rolling out OTA patches, making Spaar’s research a turning point for the adoption of OTA updates as a standard for resolving vulnerabilities.
Source: Dieter Spaar. Beemer, Open Thyself! (2015). Security vulnerabilities in BMW’s ConnectedDrive. Link
4. Miller and Valasek: Remote Exploitation of an Unaltered Passenger Vehicle (2013-2015)
Charlie Miller and Chris Valasek gained widespread attention for their ability to remotely control a Jeep Cherokee. By exploiting vulnerabilities in the Uconnect telematics system, they demonstrated full control over steering, braking, and acceleration. Their attack involved reverse-engineering firmware and exploiting a lack of network segmentation in the vehicle’s architecture.
Impact: Fiat Chrysler issued a recall for 1.4 million vehicles, one of the largest cybersecurity recalls in history. Miller and Valasek’s research significantly raised public awareness of automotive cybersecurity threats.
Source: Dr. Charlie Miller and Chris Valasek. Remote Exploitation of an Unaltered Passenger Vehicle (2013-2015). DEF CON 23 Hacking Conference. Las Vegas, NV: DEF CON, August 2015. Link
Cryptography and Keyless Entry Flaws
5. Garcia et al.: Lock It and Still Lose It – On the (In)Security of Automotive Remote Keyless Entry Systems (2016)
Garcia et al. uncovered flaws in Volkswagen’s remote keyless entry system, specifically in the Megamos cryptographic protocol. They demonstrated how to intercept and decrypt signals to clone key fobs, enabling unauthorized access to vehicles. The researchers highlighted weaknesses in cryptographic key management and outdated algorithms.
Impact: Their findings prompted automakers to strengthen cryptographic protections and reconsider their reliance on older systems.
Source: Flavio D. Garcia et al. Lock it and still lose it – on the (in)security of automotive remote keyless entry systems (2016). 25th USENIX Security Symposium (USENIX Security 16). Austin, TX. USENIX Association. Link
6. Nie et al.: Free-Fall – Hacking Tesla from Wireless to CAN Bus (2017)
Nie and his team showcased an attack chain against the Tesla Model S. By exploiting a browser vulnerability in the infotainment system, they gained access to the vehicle’s CAN bus, allowing them to manipulate critical functions like braking. This attack highlighted how software vulnerabilities in non-critical systems could compromise essential vehicle operations.
Impact: Tesla responded by improving their OTA system and introducing more robust isolation for critical systems, setting a benchmark for secure software deployment in the industry.
Source: Sen Nie et al. Free-Fall: Hacking Tesla from wireless to CAN-Bus (2017). BlackHat USA 2017 Las Vegas, NV. Link
Diagnostic and Vehicle Communication Flaws
7. Van den Herrewegen and Garcia: Beneath the Bonnet – A Breakdown of Diagnostic Security (2018)
This research explored the security of diagnostic systems, which are widely used for vehicle maintenance and firmware updates. Van den Herrewegen’s team found vulnerabilities in diagnostic protocols, such as insecure authentication mechanisms, which allowed attackers to execute arbitrary code on ECUs.
Impact: Their work emphasized the need for secure diagnostic access, leading to improvements in security for maintenance tools and protocols.
Source: Jan Van den Herrewegen and Flavio D. Garcia. Beneath the Bonnet: A Breakdown of Diagnostic Security (2018). Volume 11098 of Lecture Notes in Computer Science, pages 305–324, Springer International Publishing. Link
8. Cai et al.: 0-days & Mitigations – Roadways to Exploit and Secure Connected BMW Cars (2019)
Cai et al. exposed critical vulnerabilities in BMW’s NGTP and UDS protocols. Their research included two detailed attack chains, demonstrating how attackers could achieve remote code execution and access sensitive vehicle data. BMW worked closely with the researchers to patch these issues via OTA updates.
Impact: This research highlighted the importance of responsible disclosure and collaboration between cybersecurity experts and automakers.
Source: Zhiqiang Cai et al. 0-days & Mitigations: roadways to Exploit and Secure Connected BMW Cars (2019). BlackHat USA 2019, 1–37. Link
Keyless Entry Revisited
9. Wouter Bokslag: Vehicle Immobilization Revisited (2019)
Bokslag’s analysis of immobilizer systems exposed how poor design could allow attackers to bypass immobilizers using inexpensive hardware. His findings focused on models like the Peugeot 207 and Opel Astra H, demonstrating the real-world implications of insecure immobilizer implementations.
Impact: Automakers began integrating more advanced immobilizer technologies, like rolling code systems, to mitigate these threats.
Source: Wouter Bokslag. Vehicle Immobilization Revisited (2019). 36C3: Resource Exhaustion, Chaos Computer Club e.V. Link
10. Wouters et al.: Fast, Furious and Insecure — Passive Keyless Entry and Start Systems in Modern Supercars (2019)
This study revealed vulnerabilities in the passive keyless entry systems of luxury vehicles, including Tesla and McLaren. Using relay attacks, Wouters et al. demonstrated how attackers could unlock and start vehicles without physical access to the key fob.
Impact: Tesla and other manufacturers implemented mitigations such as PIN-to-drive features to reduce the risk of theft.
Source: Lennert Wouters et al. Fast, furious and insecure: passive keyless entry and start systems in modern supercars (2019). IACR Transactions on Cryptographic Hardware and Embedded Systems, 66–85. Link
Latest in Automotive Cybersecurity Hacks
11. Weinmann and Schmotzle: TBONE – A Zero-Click Exploit for Tesla MCUs (2020)
At Pwn2Own 2020, researchers demonstrated how vulnerabilities in Tesla’s multimedia system could be exploited using a drone to achieve a zero-click compromise. They showcased how multimedia flaws could lead to infotainment control.
Impact: Tesla responded by strengthening the security of multimedia components and introducing more robust firewalls.
Source: Ralf-Philipp Weinmann and Benedikt Schmotzle. TBONE – A zero-click exploit for Tesla MCUs (2020). Pwn2Own 2020. Link
12. Berard and Dehors: I Feel a Draft – Opening Doors and Windows with Zero-Click RCE on Tesla Model 3 (2022)
SYNACKTIV’s zero-click exploit targeted the Tesla Model 3’s infotainment system via its LTE modem. By chaining vulnerabilities, they achieved remote code execution, demonstrating the risks posed by cellular connectivity.
Impact: Tesla worked quickly to patch these vulnerabilities, reinforcing its reputation for agile cybersecurity responses.
Source: David Berard and Vincent Dehors. I Feel a Draft – Opening Doors and Windows with Zero-Click RCE on Tesla Model 3 (2022). Pwn2Own 2022 Vancouver. Link
13. Pozzobon et al. Fuzzy Fault Injection Attacks Against Secure Automotive Bootloaders (2023)
Researchers, with two of them being our co-founders, exploited vulnerabilities in secure ECU bootloaders using electromagnetic fault injection (EMFI). The attack targeted flaws in the standardized secure update process, achieving code execution and information leakage without hardware modifications. The method worked on PowerPC and ARM processors, common in safety-critical systems, and was demonstrated on ECUs from Volkswagen and BMW.
Impact: The findings reveal critical weaknesses in current update processes, emphasizing the need for improved security measures across the industry.
Source: Pozzobon et al. Fuzzy Fault Injection Attacks Against Secure Automotive Bootloaders (2023). Troopers IT Security Conference 23. Link
14. Berard and Dehors: 0-Click RCE on Tesla Infotainment Through Cellular Network (2024)
SYNACKTIV’s latest work at Pwn2Own 2024 involved a command injection attack targeting Tesla’s LTE modem. They bypassed protections during boot to achieve root access, exemplifying the importance of securing cellular networks in vehicles.
Impact: This research furthered the industry’s understanding of securing remote connectivity in connected cars.
Source: David Berard and Vincent Dehors. 0-Click RCE on the Tesla Infotainment Through Cellular Network (2024). OffensiveCon 2024. Link
The Road Ahead
The groundbreaking work of the above mentioned cybersecurity researchers has exposed vulnerabilities and catalyzed change in the automotive industry. However, as vehicles continue to grow in complexity, the challenge of ensuring their security remains immense.
At dissecto, we specialize in advancing automotive cybersecurity with cutting-edge tools like HydraVision, an automated security testing platform designed to secure embedded systems. By combining automation with deep technical insights, we empower automotive and industrial OEMs to stay ahead of evolving threats.
Do you have questions or need support?
We’re here to help! Reach out to us if you have and questions regarding dissecto HydraVision or our other services: