Hackers use Nokia 3310 to start Toyota car

According to Autoevolution , a video clip posted on YouTube recently shows a man sitting in a Toyota repeatedly pressing the button next to the steering wheel. The flashing red light indicates that the engine cannot be started because there is no key. Immediately, this person takes out a Nokia 3310 phone and plugs it into the car with a black cable. At this time, he scrolls through a number of options on the 3310's small LCD screen with the content displayed as "Connect. Receive data".

When this happens, the attacker would have full access to the vehicle's functions, including unlocking the doors and starting the engine, the researchers said. It could work on a number of Toyota models, including the RAV4 and Land Cruiser. This is because the attacker could send a fake key authentication message to the ECU. Since some Toyota models accept messages from external ECUs, the attacker could build a device that mimics a secondary ECU, sending a crafted message to start the car's engine and drive away without needing the car's key fob.

The vulnerability isn’t just limited to the Nokia 3310, many other phones are vulnerable to it. In addition to some Toyota models, the vulnerability also affects Lexus and Maserati vehicles. Exploit devices start at around $2,700 to $20,000.

To fix the vulnerability, the researchers say, automakers must add cryptographic security to CAN (Control Area Network) messages. This essentially blocks messages from sources other than authorized ECUs. So far, however, Toyota has seemingly ignored any calls for a patch despite the increasing prevalence of related hacks. It is for this reason that the researchers decided to go public with the vulnerability, believing that only if this happens will Toyota issue a patch.

At this point, it is unclear whether Toyota will review the report and develop a patch to address this existing vulnerability.