Four security researchers managed to get near-total control of cars using the Kia Connect system.
Being able to use an app on my phone to start my car and warm it up ten minutes before I leave on a cold morning is some real “living in the future” stuff. I love it. But connecting everything to everything does open up a lot of potential risk, and security researchers just demonstrated that.
A four-person team recently discovered a way to remotely hack into almost every recent car made by Kia with little more than a mobile connection. They built a phone app that can scan the license plate of any car with Kia Connect functionality to gain almost total remote access to it.
The tool works on Kia models as far back as 2014, with newer cars opening up more and more capabilities. On the latest Kia models, for example, the tool was able to track a car’s location via GPS, start and stop its engine, lock and unlock its doors, activate its lights and horns, and even peek through the car’s 360-degree cameras.
Perhaps even more concerning is that the tool allowed them access to personal information on the car’s owner: Name, email and password for Kia Connect, along with an associated phone number and physical address were all available.
These remote capabilities and information were exposed by the tool even when the owner of the car wasn’t actively subscribed to Kia Connect. The only limitation of the app-based tool was that it didn’t overcome an “immobilizer” component that prevents the car from being driven away without a key… though others have defeated those systems, too.
Before you start panicking: Sam Curry and his associates informed Kia of the vulnerability back in June, and it was fixed in August, long before the exposé was published in Wired. The system and its proof-of-concept were tested “in the wild” on cars used by the team’s friends and families as well as vehicles not in use at rental agencies and dealers. It was never used to actually put real people in danger, and the vulnerability is now gone as far as the researchers and Kia can tell.
But based on Curry’s public writeup of the hack, it’s actually shockingly simple. This isn’t the sort of thing the average person could do, but someone with a high school level of computer science knowledge could penetrate these systems put in place by a corporation that sells millions of cars every year around the globe. (And similar systems are being used in most of the new cars sold today, some of which have already been “hacked” in similar fashions.)
Wired’s interview with Curry illustrates a nightmare example. “If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car. Anybody could query someone’s license plate and essentially stalk them.”
These are vulnerabilities that typical car buyers probably aren’t aware of, for which they aren’t prepared to defend against. The responsibility to protect the car and the person using it rests on the manufacturer… and it looks like they’re not living up to that responsibility.