Starting my car from my phone to warm it up ten minutes before I leave on a frosty morning is truly a sign of living in the future, and I enjoy it immensely. However, the convenience of connectivity opens the door to numerous potential risks, as recent findings from security researchers demonstrate.
A team of four has recently uncovered a method to remotely hack nearly every recent Kia vehicle using just a mobile connection. They developed an application that can scan the license plates of any Kia equipped with Kia Connect, enabling almost complete remote access to these vehicles.
This tool is compatible with Kia models as far back as 2014, while newer models provide even more advanced capabilities. For instance, on the latest Kia vehicles, the app can track the car’s GPS location, start or stop the engine, lock and unlock the doors, activate the lights and horn, and even view the vehicle’s 360-degree cameras.
Even more troubling is that the tool provided access to sensitive personal information of the car’s owner, including their name, email, Kia Connect password, phone number, and physical address. This data was accessible even when the owner was not actively subscribed to Kia Connect. The only restriction of the app was its inability to bypass the immobilizer feature that prevents the vehicle from being driven away without a key—although there are known methods to circumvent these systems as well.
On a positive note, Sam Curry and his colleagues notified Kia about this vulnerability in June, and it was rectified in August, well ahead of the public disclosure in Wired. The team conducted their tests on cars owned by friends and family and vehicles that were not in active use at rental agencies or dealerships, ensuring that no one was put at risk.
However, Curry’s public report highlights how alarmingly simple the process was. While the average person might not be able to carry it out, someone with just a high school-level understanding of computer science could breach the security measures of a corporation that sells millions of vehicles globally. Similar systems are utilized in many new cars, some of which have already been compromised in comparable ways.
In an interview with Wired, Curry illustrated a nightmare scenario: “If someone cut you off in traffic, you could scan their license plate and know where they are at all times, enabling you to break into their car. Essentially, anyone could query a license plate and stalk another person.”
Such vulnerabilities are often unknown to car buyers, leaving them ill-equipped to defend against these threats. The onus to protect both the vehicle and its occupants rests with the manufacturer, and it appears that they have not adequately met this responsibility.