Connected vehicles continue to increase in popularity with features such as remote access and start, but what if a hacker could access those same features to gain access to a car?
A group of security researchers have revealed that it was able to gain access via critical flaws on Korean car maker Kia Corp.’s dealer portal, which could have been exploited to control any Kia vehicle equipped with remote hardware. Additionally, the flaws allowed access to any Kia vehicle with the hardware, regardless of whether the user had an active Kia Connect subscription.
As detailed Friday by Sam Curry, one of the researchers who discovered the flaw, the researchers found a set of vulnerabilities on the portal on June 11 that allowed remote control over key functions of Kia vehicles using only their license plates. The attacks could be executed remotely on any hardware-enabled vehicle in under 30 seconds.
Along with accessing and being able to remotely control Kia vehicles, the vulnerabilities could also be used to obtain the personal information of the vehicle’s owner, including name, phone number, email address and physical address. The access could have also allowed attackers to add themselves as an invisible second user on the victim’s vehicle without their knowledge.
The researchers built a tool to demonstrate the impact of the vulnerabilities, as demonstrated in the video below. Before going public, the researchers did inform Kia of the vulnerabilities and they have been fixed, but the fact that they existed in the first place is concerning in and of itself. Kia is one of many manufacturers providing remote connections, so the question arises: How safe are connected cars? Internal combustion engine cars without such connections do not have the same risk exposure.
Akhil Mittal, senior manager of cybersecurity strategy and solutions at the Synopsys Software Integrity Group, told SiliconANGLE via email that the “Kia vulnerability isn’t just a technical flaw — it’s a red flag for the entire auto industry.”
The report “shows how modern cars have become prime targets for cybercriminals, shifting from physical theft to digital exploitation,” Mittal explained. “The idea that a hacker could unlock, track, or even start your car using just a license plate number sounds like science fiction, but it’s happening today.”
Mittal said Kia’s quick patch is encouraging, but the situation raises a bigger question: Is the auto industry ready for these high-tech threats? “This wasn’t just about controlling a car – it exposed personal data too,” he said. “In a few simple steps, a hacker could access sensitive information, change ownership and take control of the vehicle without the owner’s knowledge.”