A Minor Website Issue Could Allow Hackers to Track Millions of Vehicles

In recent years, security researchers have made strides in demonstrating the complexities involved in hijacking vehicles' internet-connected systems. Past exploits, such as the remote takeover of a Chevrolet Impala in 2010 or a Jeep in 2015, showcased that hacking cars often required extensive technical expertise, extensive time investment, and innovative techniques. These included reverse engineering intricate code in the vehicles' telematics units, using audio tones played over radio connections to deliver malware, or even inserting a malware-laden disc into the car’s CD drive.

However, a recent development has highlighted a considerably easier method to hack and track millions of vehicles. A group of independent security researchers discovered a vulnerability in a web portal operated by Kia, allowing them to reassign control of internet-connected features for most modern Kia vehicles. This group found that by exploiting this flaw, they could easily scan the license plates of Kia vehicles and quickly gain access to their location data, unlock the doors, honk the horn, or even start the ignition—all from the hacker's device.

After notifying Kia of the vulnerability in June, the company appeared to address the issue, although they continued to investigate the findings. Despite this action, researchers emphasized that Kia's patch was just one aspect of a broader issue affecting the car industry. The flaw in Kia’s web portal marked the second significant vulnerability reported by the researchers to the Hyundai-owned company; a similar issue had been identified the previous year. Furthermore, the researchers have uncovered a range of similar vulnerabilities across multiple car manufacturers, including Acura, Genesis, Honda, Hyundai, Infiniti, and Toyota.

Neiko “specters” Rivera, a researcher involved in the recent Kia findings, remarked on the overall inadequacy of web security for vehicles, stating that numerous vulnerabilities continue to emerge. Sam Curry, another member of the research group, echoed this sentiment, noting that despite improvements, the situation remains troubling. Before reporting the latest flaw, the researchers tested their technique on various Kia models—including rentals and cars on dealer lots—confirming that their method consistently worked. They even demonstrated the vulnerability on a Kia Soul, showing how easy it was to access the vehicle’s features remotely.

While this technique does not grant hackers control over critical driving systems like steering or braking, it does pose significant risks, including theft of personal belongings, harassment, and invasion of privacy. The flaw also allowed the researchers to access sensitive customer information, such as names, addresses, and driving histories, indicating a potential data leak.

The vulnerability stemmed from a flaw in Kia's backend web portal, which handles customer and dealer access to connected car features. The researchers identified that there were no safeguards preventing unauthorized users from accessing dealer privileges. For example, hackers could assign control of a vehicle’s features to any account they created, simply by exploiting this oversight. They also discovered that the web portal enabled lookups of vehicles using their vehicle identification numbers (VINs), which could be obtained by querying the license plate number through external services.

The ongoing investigation revealed that many automakers' web platforms exhibited similar vulnerabilities. In their research, the group identified various flaws affecting a range of brands, allowing remote access to vehicle features and sensitive data. In January 2023, they published findings detailing vulnerabilities across numerous manufacturers, asserting that many of these bugs provided some level of control over vehicles' connected features.

Further investigations revealed additional vulnerabilities, such as a flaw in Toyota’s web portal, which would have permitted unauthorized access to vehicle features, including tracking and unlocking capabilities. Toyota quickly addressed this issue, illustrating the growing recognition among automakers of the security challenges posed by their digital systems.

The alarming frequency of these vulnerabilities is attributed to car manufacturers’ push for smartphone integration and other connected features aimed at appealing to consumers, particularly younger demographics. This trend has expanded the potential attack surface that hackers can exploit, leading to widespread security issues that may have previously gone unnoticed. Despite the rapid evolution of vehicle connectivity, there remains a significant gap in security focus between embedded systems and web-based systems within the automotive industry. Rivera noted that many car manufacturers prioritize securing embedded devices—those integrated within the car's hardware—over web security, often neglecting the potential risks associated with online interfaces.

As the automotive landscape continues to embrace connectivity, experts like Stefan Savage, a professor of computer science, argue for a more balanced approach to security. He stresses the importance of prioritizing web security to match advancements in embedded system security, suggesting that the industry needs to adapt its practices to better safeguard against the vulnerabilities revealed in recent research.