Ah, the wonders of modern technology. Remember the days when “hacking a car” sounded like something from a cheesy action movie? Well, buckle up because it’s not just movie villains who can do it anymore—it’s much simpler now. A group of security researchers found out just how laughably easy it was to exploit a bug in Kia’s web portal and take control of millions of cars. We’re talking about everything from tracking the vehicle, unlocking the doors, and even starting the engine. And guess what? All you need is a license plate number. That’s right, a simple website bug turned millions of Kias into sitting ducks for potential hackers.
Let’s set the stage: these researchers weren’t reverse engineering complex telematics units or sneaking malware into the CD player like some modern-day 007. No, they were poking around Kia’s website. The result? They found that they could reassign control of Kia cars’ internet-connected features—from tracking to honking the horn—to themselves with minimal effort. All it took was sending a few commands through Kia’s online system. And you thought the “check engine” light was annoying.
Hackers control and track KIA cars with just license plate number 😱
YouTube video: https://t.co/vTbbjEtYec#car #kia #privacy #track #cybersecurity #cars #iphone #android #watchdogs #hack #hacking #hacker #infosec #informationsecurity @samwcyo pic.twitter.com/eTRfmslmrM
— David Bombal (@davidbombal) October 6, 2024
What’s even scarier is that this isn’t the first time Kia’s systems have been exposed like this. In fact, the researchers found a similar vulnerability last year! Add to that the fact that this kind of flaw isn’t exclusive to Kia. Other carmakers like Honda, Toyota, and Hyundai have had similar problems with their web-based systems. Apparently, “web security” is something auto manufacturers tend to overlook, focusing more on keeping your car’s steering wheel locked than keeping hackers out of your digital dashboard.
Now, Kia has said they’ve patched the issue after the researchers reported it this summer, but let’s be real: do we really trust that these companies have got it all figured out? The fact that it’s taken this long—and that this is Kia’s second strike—doesn’t exactly inspire confidence. It seems like automakers are in such a rush to sell cars with cool smartphone features that they forget about something kind of important: security.
Imagine this for a second—you’re cruising down the highway, and someone you cut off gets a little tech-savvy revenge. They scan your license plate, and suddenly they know where you are, they’re unlocking your car, and maybe even starting it from afar. Sure, they can’t drive off with it (yet), but the thought that this was possible at all is enough to make anyone think twice about “connected cars.”
The real kicker here is how broad these vulnerabilities are. Not only could hackers control these car features, but they also had access to personal data—names, email addresses, phone numbers, and even past driving routes. So, if stealing the car didn’t interest them, they could still steal your identity or stalk you. Talk about a digital nightmare.
And don’t get too comfortable if you’re driving something other than a Kia. Researchers have shown that web security in cars across the board is… well, let’s call it “lacking.” Whether it’s BMW, Rolls Royce, or even emergency vehicles, these bugs expose a larger issue. The rush to integrate cool, smartphone-enabled features like remote start and tracking has opened up a Pandora’s box of vulnerabilities that automakers are clearly not prepared to handle.
So what’s the solution? Sure, Kia—and probably a dozen other carmakers—are scrambling to patch these flaws, but what happens next? Will car companies actually take a step back and prioritize securing these features, or will they continue shipping out cars that are more vulnerable than we realize? As UCSD professor Stefan Savage puts it, “How do you decide, ‘We’re not going to ship the car for six months because we didn’t go through the web code?’” That’s a tough sell in an industry where speed to market is everything.
New writeup from @_specters_ and I: we’re finally allowed to disclose a vulnerability reported to Kia which would’ve allowed an attacker to remotely control almost all vehicles made after 2013 using only the license plate.
Full disclosure:https://t.co/e2EwvUMgqw pic.twitter.com/yMk4ihliFT
— Sam Curry (@samwcyo) September 26, 2024
Maybe this latest hack will be a wake-up call for the auto industry. Or maybe it’ll just be another news story that fades away until the next big vulnerability comes along. Either way, the idea that millions of cars could be hacked through a simple web portal flaw is a reminder that in today’s connected world, security should never be an afterthought.
