What you need to know about car hacking

Cars aren’t just machines anymore — they’re computers on wheels. Modern vehicles are packed with sensors and software that make driving more convenient but also create new opportunities for hackers to break in.

On the Random but Memorable podcast, we spoke with Joseph Cox, a journalist at 404 Media who has spent years reporting on the darker side of technology. He explains what “car hacking” really means — from the tools criminals use to unlock and steal vehicles to the broader privacy risks that come with increasingly connected cars.

Our conversation explores how car hacking has evolved, why some vehicles are more vulnerable than others, and what could happen as we move toward a world of self-driving cars and autonomous taxis.

Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.

Nick Summers: When we talk about “car hacking,” what exactly does that mean? Is it just about unlocking a car and starting it, or does it involve something more sophisticated?

Joseph Cox: It's quite a broad spectrum. I personally focus on the hackers and criminals who are developing exploits or using some piece of hardware to unlock and drive away with the vehicle. I'm always interested in the intersection between digital and physical crime – and driving off with somebody's car is pretty physical!

But there's other stuff as well. For example, there are privacy issues with modern vehicles. You could say that car hacking also includes getting into the back-end of specific services and seeing vehicle locations – that’s something that cybersecurity researchers have done. 

All of that would fall under the term “car hacking”. I'm just personally more focused on criminals getting the car, maybe stealing stuff from the car, and then potentially driving away as well. 

NS: How has car hacking evolved? As cars become smarter and more like rolling computers, how has that changed the way hackers try to break into them?

JC: Car hacking is funny because it isn’t strictly linear. Years ago, Andy Greenberg at Wired published an article and accompanying video where two security researchers remotely broke into a vehicle he was driving. That was something like 10 years ago.

So you would naturally think, “Wow, if that was happening back then, now all of the Teslas or Waymos in the world are going to be hacked.” But that didn't happen. You had some really extreme examples early on which were performed in a controlled environment. It wasn't in the wild. 

But there are real-world criminal elements who are using devices to unlock vehicles, start engines and drive off. So even though there’s a large mix of techniques and attacks, it's not linear in the sense that hackers got more sophisticated. And when it comes to car manufacturing, there are so many variables. Some manufacturers are going to have better security than others. 

So it's an incredibly varied ecosystem when it comes to security and hacking.

NS: Is it harder to break into a car from 20 years ago — one that was completely analog — or a modern car that has more technological vulnerabilities but also stronger defenses?

JC: It's not a straightforward answer but I would lean towards the latter. Yes, cars have gotten more secure, but there’s a larger attack surface now with infotainment systems and the connectivity to various services, as well as how the vehicles function, from unlocking to turning on and running the engine.

"Cars have gotten more secure, but there’s a larger attack surface now."

I would say, yes, it's difficult, but depending on the vehicle it might be easier today. Maybe I'm gonna regret saying that and somebody is going to correct me but that's the vibe I get based on my reporting.

NS: Earlier, you mentioned the possibility of tracking car locations. Is that something that hackers are interested in? Is there value in the data collected by modern cars?

JC: It's something that cybersecurity researchers look into. 

I did some ‘attacker in the middle’ work with a certain car location app several years ago that showed the location of vehicles. I was able to find people's likely home addresses or work addresses, that sort of thing. But I haven't really seen criminals saying “let's get the location data of vehicles.” Because in the end, what are they going to do with that? They're probably going to use it for blackmail. And maybe that would be how they find out your home address. But they've got way quicker ways to find your home address than to do it through the location data of your vehicle. 

But who knows? Maybe it could be useful later on. But I haven't seen that in the criminal elements I speak to.

NS: You've written a story about the Flipper Zero. Can you explain what that device is and how it's designed for good security purposes?

JC: The Flipper Zero is basically the Swiss Army knife of penetration testing. I've long wanted to own one, I just haven't gotten around to buying it. I've bought various other pieces of pentesting and hacking gear over the years. 

But you can do a lot of stuff with this single tool. And of course that's the attraction because if you’re doing a physical pen test – say you're trying to get into a Fortune 500 company or a bank – you might need to bypass the security, then plug a USB stick into the server and so on. It's better if you have just one piece of gear that can help you do a bunch of things. And the Flipper Zero can do that. It’s used every day by professional security professionals. 

Criminals have also noticed this technology. It’s always been the case in information security that a legitimate penetration testing tool can be flipped around and used by more malicious parties.

NS: Do you know who is responsible for twisting this research and ethical hacking device into one that can be used for malicious purposes?

JC: I only know his first name – or at least the first name that he gives – and it's Daniel. 

He says he was the creator of this new piece of firmware for the Flipper Zero called Unleashed. And the idea was that “the Flipper Zero is great, but we want to do even more powerful stuff with it.” So Daniel says he made this piece of firmware. And then on the side he sells the capability for unlocking vehicles. And his partner is a guy called Derrow who sells [the same capability] but for Raspberry Pis as well.

Daniel says he's in Russia. I’ve looked at videos that he’s uploaded to YouTube and I could see road signs for Moscow Airport in the background. I don't know where Derrow is. I asked “are you in Russia as well”, he said no but declined to elaborate further.

NS: How quick are car manufacturers to respond to something like this? Is it something they're getting better at?

JC: It's varied. Obviously, you see car manufacturers do recalls. There was a Cybertruck recall somewhat recently. So I do think car manufacturers care about this sort of thing. 

With other sorts of car-unlocking attacks, we’ve seen manufacturers maybe not patch but mitigate them somewhat over the years. 

But with the Flipper Zero, there's a fundamental problem that revolves around rolling codes. Essentially, the key fob will generate a new code every time. An analogy would be a one-time password or a fresh 2FA token. The idea being that even if an attacker got my old 2FA token, they wouldn’t have the new ones, so they couldn't get into my car.

Daniel says he has bought source code related to unlocking vehicles, and this has allowed him to figure out the algorithm that generates those rolling codes. So it's almost like he has the 2FA secret. So he can then predict what the new rolling code is.

Of course, manufacturers could go and fix that by changing the algorithms and making them more robust, but I don't know if they’ve done that yet. Maybe they have. I just don't know whether they've addressed this specific attack or not.

NS: Are there any other hacking techniques that work right now?

JC: It depends on the vehicle. But there are so many old cars going around that these established attacks are going to be used for a while. 

There's a pretty common one called a relay attack. Imagine your car is parked in your driveway and your keys are in the fruit bowl on the kitchen counter. And the fob is what unlocks the vehicle. Thieves will use a device or a combination of devices to extend that signal from the kitchen out of your house to the driveway and then to the vehicle. That allows them to hijack or piggyback off that signal, unlock the car and drive away. We’ve seen footage from UK police where criminals are using this in 2024. With so many old vehicles going around, they're probably still going to be vulnerable to that form of attack. 

"There are so many old cars going around that these established attacks are going to be used for a while."

I've spoken to people who develop and sell that sort of technology specifically for targeting luxury vehicles. Very fancy SUVs with blacked-out windows, all of that sort of thing. So there's definitely still a demand for it. I think it's going to depend on the local circumstances. Are you trying to steal cars in a fancy part of Los Angeles, or somewhere in Germany or France?

NS: Luxury vehicles are interesting. It’s like the difference between targeting everyone with a blanket phishing attack, and targeting someone specific who is particularly high value.

JC: There was a fascinating piece in Bloomberg Businessweek that showed the other end of the supply chain. A lot of the stolen cars in the US and Europe end up in West Africa. And they were showing that people will “order” a specific car, and that'll be communicated to thieves in the US who will go and find it, steal it, and then send it off to West Africa. So there's the whole demand part of the equation on the other side of the world as well.

NS: Is the motivation behind car hacks always financial? Or are there other motives? Would someone ever steal a car and then keep it for themselves? We mentioned tracking car locations earlier – could traditional stalking be a motivation?

JC: It could be really varied. When I asked Daniel, he said, “Yeah, people may be using it to steal cars.” I'm sure he probably knows more than he's letting on. The goal could be to steal the vehicle and sell it overseas, as I mentioned with that Bloomberg piece. It could be simply to joyride the vehicle and throw it away. 

"The goal could be to steal the vehicle and sell it overseas."

Or it could be to steal valuable stuff inside the vehicle. That said, I remember years ago when my family car was robbed and they stole stuff inside, they just smashed the window. But that was in the 1990s. What I'm trying to say is that if you're just trying to steal a bag that’s inside a vehicle, maybe a hammer is your best option. You don’t need to start the vehicle which is where the technical complexity comes in. 

Keeping a vehicle would be, from a criminal's perspective, a lot harder. You have to change the plates because those are still unique identifiers. If the car has some sort of location tracking built-in, the victim and the authorities are going to be able to look at the map and say, “Well, there's the car, let's go and get it back.” So I think that would be foolish. 

With stalking, you might want to unlock the vehicle and put an Airtag in there or another form of GPS tracker. But people often put those in the wheel or under the vehicle. Or they’ll try to get the tracker inside the target's bag or something. When it comes to stalking, the lengths that creeps, weirdos and stalkers go to can be crazy. So it would not surprise me if one used some sort of technology. It would be rare but I wouldn't be surprised if I saw someone use something like this.

NS: As we move closer to a world of fully self-driving cars and autonomous taxis, how might car hacking change?

JC: There's a good chance there will be some sort of privacy scare around self-driving or autonomous taxis. It could be something around finding the location of all of these vehicles. But that is not the same as unlocking a vehicle and that sort of thing. And there is a really big separation there between privacy and security.

We'll still see car hacking, absolutely. I'm sure this technology is going to get into more people's hands and more vehicles are going to be stolen using it. But as more vehicles become connected and autonomous taxi services, I'm thinking less about the security of those services and more about the privacy stuff. Because there's usually an app [behind these services] and there's probably some stupid exposed database which has the location of all of the taxis and it inevitably is going to be compromised at some point at some point in the future. 

NS: How widespread is car hacking? Is it something that consumers should be worried about? 

JC: People have to worry about the relay attack where the key fob is in the house and the vehicle is on the driveway. I do think people have to worry about that. You should probably do a Google search for the brand and model of your vehicle, followed by “relay attack” or look for some news stories and just see if your vehicle is one of the ones that have been stolen. And then be conscious of how you store that key fob. 

"Be conscious of how you store that key fob."

When it comes to the attack with the rolling codes, I don't think people really need to lose sleep over it … yet. The attack is being held among a relatively small group of hackers and tinkerers and criminals. It comes down to whether the thieves are going to have the motivation, the technical sophistication, and the cash to buy the tool.

Enjoyed this episode of Random but Memorable? Chat with other fans in our forum!