The convenience of remotely starting your car via a smartphone app might feel like an innovation from the future, but this connectivity has also exposed significant security risks, as recently uncovered by a group of researchers.
Their investigation revealed a troubling vulnerability present in nearly all Kia vehicles equipped with Kia Connect functionality. By creating an application capable of scanning license plates, the team could gain almost complete remote access to these cars. This exploit applies to Kia models dating back to 2014, with newer vehicles offering even more control. For instance, the application could track the vehicle’s GPS location, remotely start or stop the engine, lock or unlock doors, activate the horn and lights, and even utilize the car’s 360-degree camera system.
Even more concerning is the tool’s ability to expose personal details about the vehicle owner, including names, email addresses, Kia Connect passwords, phone numbers, and home addresses. Alarmingly, this information was accessible even if the owner had not subscribed to the Kia Connect service. The only limitation was the vehicle’s immobilizer, which prevents the car from being driven away without a key, although methods to bypass such systems have already been identified.
On a positive note, the research team, led by Sam Curry, notified Kia of these vulnerabilities in June, with a fix implemented by August. Their testing was conducted responsibly, using vehicles owned by friends and family, as well as those that were not actively in service at rental or dealership lots.
Despite the complex nature of modern vehicle systems, the researchers demonstrated that someone with a basic understanding of computer science could exploit these vulnerabilities. Curry’s insights reveal a concerning reality: “If someone cut you off in traffic, you could scan their license plate and track their movements, potentially breaking into their car.” This emphasizes the critical responsibility that automotive manufacturers have in protecting their vehicles and the privacy of their owners.