In an age where cars are increasingly connected to mobile apps and other devices, the convenience of being able to remotely control your vehicle has become a modern luxury. Features, like starting your car and warming it up on a cold morning, unlocking it from afar, and even tracking its location, have become commonplace. However, with this convenience comes a heightened risk of security breaches, as a recent discovery has shown.
A four-person team of security researchers recently uncovered a significant vulnerability in Kia vehicles equipped with Kia Connect, a technology that allows drivers to control their cars remotely via a mobile app. The team developed a tool that, with nothing more than a smartphone and an internet connection, could scan the license plate of almost any recent Kia car and gain near-complete access to its systems.
The hack is particularly alarming because it affects Kia models as far back as 2014, with newer cars offering even more exploitable capabilities. On the latest Kia models, the researchers were able to perform a wide range of actions. These included starting and stopping the engine, locking and unlocking doors, activating the car’s lights and horn, and tracking the vehicle’s location via GPS. The tool also granted access to the car’s 360-degree cameras, giving hackers the ability to peek inside the vehicle remotely.
Personal Data at Risk: Hackers Exploit Kia Connect Flaw to Access Owner Information
Perhaps most concerning was the researchers’ discovery that they could access sensitive personal information about the car’s owner. The tool was able to pull up the owner’s name, email, Kia Connect password, associated phone number, and physical address. This information was vulnerable even if the owner was no longer actively subscribed to the Kia Connect service, exposing a significant privacy flaw.
While the app could unlock numerous features of the vehicle, the only major limitation was that it could not bypass an “immobilizer” system designed to prevent the car from being driven without a key. However, similar immobilizer systems have been breached in other hacking incidents, suggesting that even this protection may not be foolproof.
The good news is that this vulnerability has since been addressed. Security researcher Sam Curry and his team informed Kia of the flaw in June, and a patch was rolled out in August to close the loophole. Kia has since confirmed that the vulnerability has been fixed, and the researchers ensured that their findings were only tested on vehicles belonging to friends, family members, or those not in use at dealerships and rental agencies. No harm came to actual car owners, and no real-world damage was inflicted.
Rising Concerns Over Car Connectivity: Simple Hacks Expose Major Security Flaws in Modern Vehicles
However, the hack’s simplicity is still unsettling. According to Curry’s public write-up, this type of vulnerability is shockingly easy to exploit for those with a basic understanding of computer science. While it may not be within the reach of an average person, someone with high school-level computer science skills could conceivably penetrate the systems put in place by Kia, a global company that sells millions of cars annually.
What’s more concerning is that Kia is not alone. Many modern vehicles across a variety of manufacturers use similar remote connectivity systems, and some have already been compromised in similar ways. The incident highlights the ongoing security risks in an era where cars, like smartphones and computers, are increasingly interconnected with the internet.
Wired’s interview with Curry illustrates the potential dangers. In a chilling example, Curry explained that if someone cuts you off in traffic, a malicious actor could scan their license plate and track them wherever they go. With this information, they could remotely access the car and, essentially, stalk the individual.
This incident serves as a stark reminder of the potential risks involved in integrating cars with internet-connected technology. As automakers continue to push the envelope of convenience, ensuring robust security measures must be a top priority to protect consumers from potential cyberattacks.