Till the next one, stay safe people 🫡

Yes, #DEFCON was a dream becoming true for me, but at the same time, I hope that my talk and research will act as a stepping stone to appropriate and effective collaboration between researchers and the industry, and hopefully inspire too.

I just want to share one of the examples of how this industry is treating researchers (not always of course), how we get pushed to the ground, decades after cybersecurity and vulnerability disclosure became mainstream, and how it's all of us that need to push for a safer future.

Nothing to be said about them, I don't care about the technical aspect of it, and you should not either, technically I didn't do any magic here.

After years of drama, today I’m releasing the following vulnerabilities:

- CVE-2024-6348: Predictable seed generation after ECU reset (nvd.nist.gov/vuln/detail/...)
- CVE-2024-6347: Unauthorized access to ECU functionality (nvd.nist.gov/vuln/detail/...)

The SECOND plot twist? This contact from the VDP was chosen internally (I had nothing to do with the selection process) because he works for the OEM, he lives in the motherland of the OEM and he would be the perfect person to push for the fixes and the disclosure. 🤦‍♂️

The plot twist? The accusations were based on the fact that the name of the main contact from the official non-profit VDP, based in the US, was from a "hostile nation." The OEM’s legal department decided they couldn’t collaborate with us, without mentioning anything else.

Funny thing is, they were the ones who first asked if the finding applied directly to the ECU or via the user-accessible OBD port. 🤷‍♂️

And that’s when the OEM finally responded:

I also informed them that I would be discussing this situation and publishing my findings during my
@defcon.bsky.social talk, as the embargo period we had set during the disclosure process had long expired.

At this point, I sent an official statement to the OEM and my contact, stating that this behavior was unacceptable and could compromise not only my professional life but my personal life as well.

CLEARLY, I’m not from a hostile nation, nor was I in contact with any. So, WTF was happening here? And it didn’t stop there—people from the industry also accused me of this outside the responsible disclosure process.

Over a month passed with multiple follow-ups from our side, but still no response. Then, out of the blue, they told us they "cannot collaborate with hostile nations." 😳

Feeling desperate, we agreed that I could share the finding with a generic automotive-related VDP to push the OEM to act. So I did. But after just a few emails, the OEM stopped responding to the VDP, without any explanation.

But the OEM decided that the cost of fixing the issue was too high for these models. Their reasoning? "The new E/E architecture will fix these issues in future models—MY25/MY26," meaning the current architecture remains vulnerable.

Two years later, after multiple attempts to find the right contact, I finally got a response. The contact quickly confirmed the vulnerability, and we realized it affected several vehicle models across multiple model years. We escalated the issue internally.

This meant I could potentially trigger a safety-critical event on the ADAS system, as specific lane change functions relied on the BSDS. I immediately searched for a Vulnerability Disclosure Program (VDP) from the OEM to responsibly disclose the findings. But no luck.

It was a warm night in Arizona when I had access to a rental unit from one of the biggest OEMs in the industry. Naturally, I couldn’t resist poking around. Before long, I discovered several vulnerabilities, including one that allowed me to engage the blind spot detection sensor.