Notifications
Clear all
Topic starter
25/06/2026 2:59 pm
TL;DR: DEF CON 23 demos showed low-cost keyless entry attacks, Tesla Model S compromise paths, and GPS spoofing techniques that can alter vehicle functions and location data, according to DigiCert. The lesson for identity and access teams is that connected-device trust models fail quickly when authentication, command control, and safety boundaries are too easy to bypass.
NHIMG editorial — based on content published by DigiCert: DEF CON 23 Recap
By the numbers:
- A tiny device called the Rolljam can break into just about any keyless car lock and modern garage door opener for $32.
- DEF CON 23 gathered thousands of hackers and security professionals in Las Vegas.
Questions worth separating out
Q: How should security teams reduce replay risk in keyless access systems?
A: Security teams should assume that proximity alone is not proof of legitimacy.
Q: Why do connected devices need stronger authorization than simple network controls?
A: Connected devices fail when network location is mistaken for trust.
Q: What do teams get wrong about GPS and location-based automation?
A: Teams often treat GPS as an objective fact when it is really an input that can be forged.
Practitioner guidance
- Map convenience features to trust boundaries Inventory every remote unlock, remote start, telemetry, and navigation function, then document which signals are trusted for each action and whether replay resistance exists.
- Separate safety actions from convenience paths Require distinct authorization checks for functions that change vehicle state, especially actions affecting motion, power, steering, suspension, or lighting.
- Treat GPS as an untrusted input Correlate location with additional signals such as network context, sensor consistency, and device state before automating decisions that depend on position.
What's in the full article
DigiCert's full event recap covers the demonstration details this post intentionally leaves at a higher level:
- A closer description of the Rolljam device and why low-cost keyless entry attacks matter for connected products.
- The specific Tesla Model S vulnerabilities researchers discussed, including the functions they were able to influence.
- Additional context on how GPS emulator techniques can mislead navigation and device-location logic.
- The broader DEF CON security conversations around smart cars and why manufacturers need to design security earlier in the product lifecycle.
👉 Read DigiCert's DEF CON 23 recap for the smart car hacking demonstrations →
Smart car hacking at DEF CON 23: what did it expose?
Explore further
25/06/2026 4:16 pm
Connected-device identity fails when convenience is treated as trust. Smart automobile systems often accept signals that are easy to imitate, relay, or spoof because product design optimizes user experience before security assurance. That creates an identity problem, not just a vulnerability problem, because the system cannot reliably distinguish a legitimate control signal from a counterfeit one. Practitioners should treat every convenience-based trust path as a potential authorization gap.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: What should organisations do first when connected product controls are exposed?
A: Start by ranking the functions that can alter physical state or safety outcomes, then verify whether those functions can be reached through low-assurance signals. The first priority is not more monitoring, but removing implicit trust from the highest-impact control paths and limiting what each credential or signal can do.
👉 Read our full editorial: DEF CON 23 showed how smart car security gaps scale
