Toyota runs a car-hacking event to boost security (2024)

Original Article ↗ Hacker News Discussion ↗

In-vehicle networks and CAN vulnerabilities

  • Commenters note longstanding insecurity of CAN bus and related components (e.g., TPMS), with historic demonstrations of remote vehicle control.
  • One participant claims many TPMS use “CAN over IP”; another with industry experience disputes this, saying such architectures don’t exist in production vehicles and that relevant IP-based protocols are separate automotive Ethernet systems.
  • Poor physical design choices are criticized, such as putting key-fob-connected CAN lines where they can be reached from outside (e.g., headlights, radar, rear lights).

Toyota’s security efforts and industry practices

  • Several people praise Toyota for openly inviting hacking versus companies that downplay or hide issues.
  • Others point out there is already an established automotive pentesting industry and bug bounties; manufacturer-run events are seen as complementary rather than novel.
  • Some argue the biggest “security fix” would be to stop cars from phoning home or to reduce remote-control capabilities.

EV vs hybrid strategies and Toyota’s trajectory

  • One camp predicts Toyota will become a “Nokia/Kodak” if it doesn’t go hard into BEVs, calling current BEV offerings weak and comparing Tesla to the iPhone.
  • Others counter with Toyota’s record global sales, profitability, and strong hybrid demand, arguing there’s little business pressure to rush into BEVs and that many markets lack viable charging infrastructure.
  • Debate extends to EU makers (seen by some as worse off due to reliability and weak EVs), Tesla’s future (either dominant or about to crash), and Chinese EVs (BYD, MG) as rising competition with mixed quality perceptions.
  • One long comment ties Japan’s cautious BEV stance to dependence on Chinese battery materials and fears of regional conflict, suggesting strategic risk in overreliance on Chinese supply. Others reply that China is already eroding Japanese market share with EV exports.

Charging, ownership costs, and user preferences

  • Pro-BEV users emphasize low maintenance (tires, wipers only for many years), cheaper “fuel” per mile, and overnight home charging, saying modern fast chargers make many long trips acceptable.
  • Skeptics highlight longer refuel times, higher electricity prices in some countries, and the unmatched convenience of quickly filling a gasoline or hybrid vehicle.

Keyless entry, relay attacks, and theft

  • Real-world relay thefts (extending key fob range from inside a house) are discussed; people ask whether consumer-grade electronics can enforce strict round-trip timing.
  • UWB-based systems (such as those used in modern digital keys) are cited as accurate enough for secure ranging, though it’s noted that standardized secure ranging in that ecosystem is very recent.
  • Several note design tensions: immobilizers drastically reduce theft but can strand owners when keys, fobs, or programming fail. Some owners describe being stuck due to fob/immobilizer issues and wanting a true mechanical fallback.
  • Participants explain that most keyless systems allow driving away after initial authentication (to avoid unsafe shutdowns), which thieves exploit by pairing new fobs via OBD after gaining entry.
  • There’s disagreement over whether EVs are meaningfully “theft-proof”: one argues practical barriers (charging, apps, tracking), others counter that thieves can still use or part out EVs easily.

Vehicle architecture and remote control

  • Legacy automakers are criticized for a “forest of ECUs” from many suppliers, increasing complexity and attack surface. Tesla and Rivian are cited as examples of consolidating to a “big computer” architecture that may be easier to secure.
  • Some see Teslas as relatively secure (no hotwiring, tight integration), but others are wary that the manufacturer can remotely disable vehicles, questioning whether that’s better for owners’ autonomy.
  • One commenter claims earlier Teslas were largely conventional vehicles with an added big screen, implying security still depends on underlying legacy components.

Bug bounties, hiring criminals, and security research law

  • A proposal suggests hiring car thieves or buying dark-web theft tools to understand real attacks, combined with bug bounty programs to “flip” technically skilled criminals.
  • A broader debate emerges over legal risk: one view holds that independent car hacking is effectively felonious (e.g., under DMCA anti-circumvention), discouraging good-faith research; others challenge that as legally overstated.
  • Some emphasize that, regardless of strict legality, companies or governments may retaliate aggressively against researchers who cause embarrassment, creating a chilling effect.
  • There’s a philosophical split: either companies should be fully liable for poor security if they monopolize testing, or laws should better protect outside researchers so security becomes a shared responsibility.

Immobilizers, backup methods, and service practices

  • Multiple comments clarify that immobilizer RFID often works without a key battery; many cars support backup “press fob to start button” modes, or hidden mechanical keys, which owners frequently don’t know about.
  • Some criticize relying on third-party locksmiths for high-stakes keys; others note dealer keys can be extremely expensive.
  • A niche discussion covers disabling immobilizers by editing ECU EEPROMs in tuner contexts, with warnings that newer ECUs are harder to open or modify.

Miscellaneous

  • Short humorous reactions (“Pwn2Own?”, “Hack-a-Toyotathon”) appear but don’t develop into deeper discussion.
  • One person calls for Toyota to keep cars tunable like older performance models, reflecting tension between security/DRM and enthusiast modification.