These weaknesses can be extremely dangerous, and car manufacturers can get very sloppy with their security. In just one example, a car hacker known as L&M realised that two GPS car tracking apps had given all customers the same default password (123456) on sign up, allowing anyone to gain access to thousands of accounts. As well as the flaws providing access to personal and financial details, L&M exposed an incredibly dangerous vulnerability: the ability to remotely stop the engine of some of the vehicles using these apps.
Finding and reporting vulnerabilities like this is central to the car hacking community. There has been a lively, Car Hacking Village at DEF CON since 2015, where car hackers educate security researchers about modern-day vehicle systems, experiment with technology, and play with all sorts of motorised vehicles, from upgrading mobility scooters to making a car escape room where you have to hack your way out of a locked SUV.
The best way to get started with car hacking is to get yourself a copy of The Car Hacker’s Handbook by Craig Smith of @OpenGarages and a car hacking board such as the CANtact, the M2 by Macchina, or the Carloop. These devices plug into the OBD-II diagnostics port, standard in all vehicles made in the last 25 years, and communicate over the CAN bus with the ECU (Engine Control Unit) and other sensors and actuators throughout the vehicle. Open-source programs exist to both interpret the messages on the CAN bus, like tachometer data, and send messages to control dashboard readouts and much more.
There are also lots of car hackers on Twitter that I follow to keep up with the latest news, including Robert Leale (@carfucar) and Kirsten Sireci Renner (@Krenner), who co-founded the DEF CON Car Hacking Village, and Ian Tabor (@mintynet), who runs the UK Car Hacking Village