The Gray-Hat Hacker Who Controls Your Car Before Criminals Do
Sam Curry was 22 when he broke into Tesla’s vehicle management system. He was stuck on a road trip with a broken windshield. While waiting for support, a blind XSS payload he submitted earlier fired. He gained access to their internal systems. From there, he had a clear path to SSH keys for customer vehicles. Complete control over any Tesla on the road.
Tesla paid him their maximum bug bounty. The payout covered his entire road trip and launched his career.
Today, Curry hunts vulnerabilities in connected vehicles. He finds the holes before criminals do. He reports them to manufacturers. He forces fixes before your car becomes someone else’s remote control toy.
The Subaru Hack: One License Plate, Total Control
On November 20, 2024, Curry and fellow researcher Shubham Shah found a critical flaw in Subaru’s STARLINK system. The vulnerability was simple. The damage was massive.
They needed only a license plate number. Or a last name and ZIP code. Or an email address. Pick any one. They gained unrestricted access to millions of Subarus across the United States, Canada, and Japan.
Here’s how the attack worked:
Curry and Shah found an admin portal designed for Subaru employees. The password reset endpoint had no authentication. They grabbed employee email addresses from LinkedIn using a simple pattern: first initial plus last name at subaru.com. They reset those accounts without confirmation tokens. They removed a client-side security overlay enforcing two-factor authentication. Full access granted.
Inside the admin dashboard, they saw everything. Customer names and addresses. Emergency contacts. Partial credit card numbers. Location history going back years. They added themselves as authorized users to any vehicle. No confirmation required. No notification sent.
They tested the exploit on a friend. They asked for her license plate. They searched her vehicle in the admin panel. They added themselves as users. They remotely unlocked her car while she sat inside her home. She received no text, no email, no warning.
Curry and Shah reported the vulnerability at 11:54 PM on November 20. Subaru responded in eight hours. The patch went live by 4:00 PM the next day. The vulnerability never got exploited by criminals. But the implications were staggering. Complete control over millions of vehicles worldwide.
The Same Flaw, Different Manufacturer
The Subaru discovery wasn’t unique. In 2023, Curry and his team audited APIs across 16 major car manufacturers. Ford. Toyota. Mercedes-Benz. BMW. Porsche. Ferrari. Honda. Nissan. Infiniti. Kia. The list goes on.
The pattern repeated everywhere. Poor API authentication. Weak validation of vehicle identification numbers. Overly broad permissions for third-party services.
“We would find a vulnerability on one car company and then we would report it, then we would switch to a different car company and it’d be the exact same thing,” Curry explained.
Armed with a VIN (visible through any windshield), attackers had access to personal information, remote lock/unlock functions, engine start/stop controls, and GPS location data. The team found at least 20 distinct vulnerabilities affecting millions of vehicles globally.
One discovery involved Reviver, a digital license plate company. The flaw granted attackers full super administrative access to manage all user accounts and vehicles. Another vulnerability affected 15.5 million vehicles’ braking systems.
For Kia, Honda, Infiniti, Nissan, and Acura vehicles with SiriusXM, Curry found the VIN alone was enough. Remote lock. Remote unlock. Engine start. Horn honking. All accessible to anyone with 17 characters visible on your dashboard.
Why This Keeps Happening
These vulnerabilities aren’t random. They’re systemic. Most manufacturers rely on third-party vendors for APIs, infotainment systems, and telematics platforms. They don’t build critical security infrastructure in-house.
Ted Miracco, CEO of security firm Approov, put it bluntly: “The automotive industry is facing a lot of challenges in this area. I think there was a rush to get a lot of applications out with a lot of functionality quickly and some of the rush to do these things is coming back to haunt a number of the manufacturers.”
Many automakers also lacked bug bounty programs. When Curry reported his findings, most companies patched the vulnerabilities. But there was no formal system to encourage this research. Some manufacturers like Tesla have established programs with open disclosure policies and active bug bounties. Industry-wide adoption remains spotty.
The Jeep Hack Changed Everything
Charlie Miller and Chris Valasek laid the groundwork for automotive security awareness in 2015. They spent over a year analyzing Jeep connectivity systems. They found a way to exploit the Uconnect infotainment system remotely through the internet.
They controlled windshield wipers. They blasted the stereo. They disabled the engine. They disabled braking. They manipulated steering. All while the car was moving on the highway.
In their most famous demonstration, they hijacked a Jeep Cherokee with a WIRED journalist at the wheel. Miller sent commands from his laptop ten miles away.
They didn’t release their findings immediately. They shared the research with Chrysler nine months early. The company had time to develop and distribute patches. Chrysler recalled 1.4 million vehicles. The industry started taking connected car security seriously.
Responsible Disclosure Matters
Curry operates differently from black hat hackers. When he finds vulnerabilities, he reports them to the manufacturer first. He gives companies 45 to 90 days to develop and release patches. Then he publishes the findings.
This approach has consequences. Curry has helped patch vulnerabilities affecting hundreds of millions of vehicles. None of his discoveries have been weaponized against drivers. His Subaru report was fixed in 24 hours. His SiriusXM finding was remediated immediately. His research on 16 automotive brands led to industry-wide patches.
Sandeep Singh, senior manager at HackerOne, notes the stakes: “The interconnectedness of our devices is making securing cars more challenging. Cyberattacks on cars increased by 225% in the last three years, with 84.5% of these attacks executed remotely.”
Progress Is Happening
The work of researchers like Curry is changing the industry. Major manufacturers now have bug bounty programs. BMW, Mercedes-Benz, and Porsche actively solicit vulnerability reports. They offer monetary rewards for verified findings.
Regulatory attention is increasing too. Standards like ISO/SAE 21434 are being developed to enforce security protocols in automotive systems. The industry is recognizing security must be fundamental to vehicle design from the start.
Challenges remain. The automotive product cycle spans roughly four years. Vulnerabilities discovered today may not be addressed across the fleet for years. Supply chain complexity makes patch distribution slow. Aftermarket devices like wireless CarPlay adapters and smart dashcams add their own vulnerabilities outside manufacturer control.
The New Model for Hackers
Sam Curry’s story represents a shift in how society views hackers. A generation ago, discovering these vulnerabilities might have led to legal consequences or pressure to sell exploits on the black market. Instead, he built a career finding vulnerabilities responsibly. He influences major technology companies. He improves security for millions of people he’ll never meet.
His approach combines technical skill with ethical reasoning. He reports findings instead of exploiting them. He accepts recognition through legitimate channels instead of criminal ones. His greatest satisfaction comes from ensuring only authorized people control vehicles.
The gray-hat hacker isn’t trying to steal your car. They’re working in the background. They find the flaws criminals would exploit. They force manufacturers to fix them before it’s too late.
In an era of connected vehicles, we need these hackers on our side.
