Hackers’ Secret Exploit Exposes Millions of Kias to Tracking and Control Using Just a License Plate
Kia’s Web Portal Bug Exposes Millions of Vehicles to Remote Hacking
For a while, Kia and Hyundai owners were bombarded with concerning news about their cars’ security. The latest issue is a bug in Kia’s web portal that allowed white-hat ethical hackers to access millions of vehicles and control their internet-connected features remotely. But before you panic, know that Kia has released a patch to fix the security vulnerability. Your car won’t start on its own… yet.
The Vulnerability Explained
According to Wired, a group of independent security researchers informed Kia about the issue in June. The weak security was related to the Kia Connect owner’s portal, an infotainment and telematics service that allows remote access for certain features. Many automakers offer similar connectivity apps for vehicles equipped with advanced telematics systems, all featuring "connect" or "link" in their names.
How Hackers Exploited the Vulnerability
Researchers found that they could hijack any connected Kia vehicle within 30 seconds by scanning the vehicle’s license plate. This enabled them to control the locks, honk the horn, track the vehicle’s location, and activate the remote start feature. While the cyberattacks didn’t allow access to driving-related systems, such as the brakes or steering, or the engine immobilizer, there’s always a loophole. Inquisitive criminals could combine remote hacking with in-car security defeats to steal the vehicle or compromise a vehicle owner’s personal information.
The Bigger Picture
"The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor," said Neiko Rivera, a car telematics researcher and former Rivian employee. "Over and over again, these one-off issues keep popping up. It’s been two years. There’s been a lot of good work to fix this problem, but it still feels really broken."
The Group’s Research
The group has worked on its security research for the last couple of years, having found another Kia security flaw last year. Their research has less to do with Kia but with connected car security as a whole. In June, the group learned it could access Lexus and Toyota vehicles the same way it did with the Kias. They also released a massive report in January 2023 that affected a multitude of automakers, including Acura, BMW, Ferrari, Genesis, Honda, Infiniti, Mercedes-Benz, Nissan, and Rolls-Royce.
The Internet of Things
The convenience of connected cars is appealing, but at what cost? Your personal information being used to track you after you cut someone off in traffic, are a left-lane hogger, or you’re just having a bad day and you’re in their way? Losing control of your vehicle, even if just to maintain the climate control or the power windows? The World Wide Web is still the Wild, Wild West.
The Road Ahead
During his time at Rivian, Rivera found that automakers are more focused on "embedded" devices, the cloud-connected stuff in non-traditional computer environments, as opposed to cybersecurity for two low-tech reasons: time and money. "It was clear ever since I started that there was a glaring gap between embedded security and web security in the auto industry," said Rivera. "These two things mix together very often, but people only have experience in one or the other."