Security researchers at the recent DEF CON hacker convention expressed both amusement and disbelief at the significant security vulnerabilities they discovered within automaker systems and their associated dealership networks. Independent security researcher Eaton Zveare specifically stated, "I target automakers just for fun... They have thousands of subdomains out there, and each of those is just an exploit waiting to happen". His findings highlighted how far behind traditional car companies often are in software development and security compared to tech firms.
Zveare's main presentation (titled "Unexpected Connections") detailed how a vulnerability in an online platform used by over 1,000 US dealerships of a major, unnamed automaker could have allowed a hacker to remotely access customer data, manage sales, and even potentially unlock cars from anywhere.
Reddit users on forums like r/netsec and r/cars discussed the findings, with some commenting on the surprising extent of the exploitation and the general lack of robust security within the automotive industry.
Industry Gaps: The general consensus among the security community at the conference, and echoed on social media, was that automakers have significant security gaps. One user on the r/Defcon subreddit noted that the car hacking community still seems small and "in development," which is not a positive sign for the state of industry security.
Electric vehicle maker Rivian was noted by some Reddit users for its positive engagement, with comments praising the company for having a bug bounty program and a visible presence at the "Car Hacking Village" for two years in a row.
Overall, the sentiment at DEF CON and on social media was that the automotive industry is often the "butt of the joke" when it comes to cybersecurity, providing easy targets for skilled hackers.