Having the ability to start my car and warm it up from my phone ten minutes before I head out on a chilly morning feels like a glimpse into the future, and I absolutely love it. However, the interconnectivity of these systems introduces significant risks, as recently highlighted by security researchers.
A four-person team successfully discovered a method to remotely hack into nearly every recent Kia vehicle using nothing more than a mobile connection. They developed an app capable of scanning the license plates of cars equipped with Kia Connect functionality, granting them almost complete remote access.
The app works on Kia models dating back to 2014, with newer models offering even greater capabilities. For instance, on the latest vehicles, the tool could track the car’s GPS location, start and stop the engine, lock and unlock doors, activate lights and horns, and even access the car’s 360-degree cameras.
Even more alarming is that the tool provided access to personal information about the vehicle’s owner, including their name, email, Kia Connect password, phone number, and physical address. This data was available even if the owner was not currently subscribed to Kia Connect. The app’s only limitation was that it could not override the immobilizer feature that prevents a car from being driven away without a key, although other hackers have managed to defeat those systems as well.
Fortunately, Sam Curry and his team alerted Kia about this vulnerability back in June, and it was fixed by August—well before the details were made public in Wired. The researchers tested their system on cars belonging to friends and family, as well as vehicles at rental agencies and dealerships, ensuring no real harm was done during their investigation. According to Curry’s public write-up, the hack was surprisingly straightforward. While it may not be within reach of the average person, someone with a basic understanding of computer science could exploit the security measures in place by a corporation that sells millions of cars worldwide. Similar vulnerabilities have been discovered in various new vehicles today.
Wired’s interview with Curry paints a chilling picture. “If someone cut you off in traffic, you could scan their license plate and track their location at any time, essentially allowing you to stalk them and break into their car.”
These vulnerabilities are something most car buyers remain unaware of, leaving them ill-prepared to defend against such threats. The responsibility for protecting the vehicle and its users lies with the manufacturer, and it seems they have fallen short in fulfilling that duty.