Last week, a team of independent security researchers published their discovery of a flaw in the car brand Kia’s web portal. It could be exploited to track and remotely control dozens of models.
Thanks to the vulnerability on the website, the researchers could hack a car in about 30 seconds, just by using its license plate. It did not matter if the car had an active Kia Connect subscription or not.
New writeup from @_specters_ and I: we’re finally allowed to disclose a vulnerability reported to Kia which would’ve allowed an attacker to remotely control almost all vehicles made after 2013 using only the license plate.
Full disclosure:https://t.co/e2EwvUMgqw pic.twitter.com/yMk4ihliFT
— Sam Curry (@samwcyo) September 26, 2024
If the car was connected to the internet, it could have the power to track its location, unlock its door, and start the ignition remotely. The hackers were not able to actually move the vehicles, however, nor could they control the steering and brakes.
They were able to acquire customers’ names, phone numbers, email and home addresses though. Most modern vehicle models made after 2013 were susceptible in some capacity.
The group tested the hacks on rental cars and those owned by friends. It worked every single time.
One of the hackers, Sam Curry, told WIRED: “If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car.
“If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.”
What has Kia done about the bug?
They alerted Kia to these problems when they discovered them back in June this year. WIRED reports that: “Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group’s findings and hasn’t responded to WIRED’s emails since then.”
This isn’t a new problem, nor is it the end for potential car hackings. The same group of researchers discovered other bugs in the last few years, affecting Hondas, Hyundais, BMWs, and more.
As Curry concluded on his blog: “Cars will continue to have vulnerabilities because, in the same way that Meta could introduce a code change which would allow someone to take over your Facebook account, car manufacturers could do the same for your vehicle.”
Feature image credit: Sam Curry
The post Kia website flaw meant cars could be hacked, say researchers appeared first on ReadWrite.