Common Vulnerabilities and Exposures number 2017-14937: in unspecified post-2014 passenger car models, the explosive charge that deploys the airbag is controlled by an instruction that is secured by one of only 256 keypairs, and there is no rate-limit on authentication attempts over the CAN bus. It gets better! “In addition, at least one manufacturer’s interpretation of the ISO 26021 standard is that it must be possible to calculate the key directly (i.e., the other 255 key pairs must not be used).”
CVE-2017-14937 shows airbags will deploy when told to deploy. They point out problems with security access.
— Charlie Miller (@0xcharlie) October 24, 2017
CVE-2017-14937 [Mitre]
(via Dan Hon)