> And part of the problem is that this isn’t a vulnerability disclosure and so the processes that Toyota does have in place are not appropriate.
I didn't follow this part. I hear that the authors think their "you can use CAN fault injection followed by a spoofed unlock command to steal cars" technical writeup is not a vulnerability disclosure. But why not? (Other than because they said so.)
The fact that the vulnerability is exploited in the wild doesn't prevent it from being appropriate to report it as a vulnerability -- quite the opposite. They even provide several fix suggestions.
(I'm not personally arguing that it is wrong to disclose the vulnerability without coordination. I'm arguing that it's weird to make a choice like that while claiming you aren't making one.)
He's definitely letting Toyota off the hook there. This absolutely is a vulnerability and whatever the size of the company they should have a way to promptly deal with vulnerabilities.
(Of course it also doesn't surprise me in the least that Toyota isn't taking it seriously)
I can say that Toyota Insurance in the UK takes it seriously, they installed an immobilizer (the key fob for which is branded with a Lexus L) for free on my 2020 Lexus RX to combat this issue. I'm probably going to buy a steering wheel lock, more to advertise that the car will be a pain to steal than for any additional protection.
I first heard of the CAN bus hacking late last year (in an owners forum) but it does seem to have become more wide spread this year.
I can't tell whether they attempted to disclose it to Toyota through normal vulnerability disclosure channels, though. The article implies to me that they didn't.
I read that as more "we cold emailed people looking for a potential contact" than "we submitted this vulnerability to their PSIRT". The fact that they say this is not a vulnerability disclosure situation suggests that they did not use the vulnerability disclosure communication methods.
I read it as "we tried contacting them through their standard processes, and were told it didn't fit in" but I can see your reading now that I've gone back and reread that specific section again. It's indeed quite vague as if they were the ones that made the decision or Toyota.
> And part of the problem is that this isn’t a vulnerability disclosure and so the processes that Toyota does have in place are not appropriate.
I didn't follow this part. I hear that the authors think their "you can use CAN fault injection followed by a spoofed unlock command to steal cars" technical writeup is not a vulnerability disclosure. But why not? (Other than because they said so.)
The fact that the vulnerability is exploited in the wild doesn't prevent it from being appropriate to report it as a vulnerability -- quite the opposite. They even provide several fix suggestions.
(I'm not personally arguing that it is wrong to disclose the vulnerability without coordination. I'm arguing that it's weird to make a choice like that while claiming you aren't making one.)