This research shows the security pitfalls of web-enabled hardware -- where the hardware just so happens to be cars. The techniques are straightforward (and clever) web API hacking that involves JWTs and CRLF injections. It's been quite a while since I've seen an interesting CRLF example.
So, while you won't get any insights on an automotive CAN bus or reverse engineering microcontrollers, you will get some good reminders on the patience in manipulating web authentication and authorization requests. Plus, being able to "remotely start, stop, lock, unlock, honk, flash lights, or locate any vehicle that had the remote functionality enabled" is more impressive than old-school hacks like opening a computer's optical drive tray.