How hackers could have remotely controlled millions of cars
Car owners, are you sitting down? Cybersecurity researchers recently reported a flaw in a website — operated by automaker Kia — that enabled them to remotely control key functions of millions of cars.
The full report, published on the personal blog of Sam Curry — one of the researchers — offers a timeline of how the team discovered the exploit and how they managed to utilize it to break into cars.
Also: Android Automotive receives new QOL update, including support for Bluetooth headphones
In June, the researchers found vulnerabilities affecting “Kia vehicles that allowed remote control over key functions using only a license plate.” Their report reveals they were able to remotely track a car’s location, unlock its doors, honk the horn, and start the engine. On certain Kia models, they were even able to activate the camera from a distance.
The researchers told Wired this exploit was accessed through a “flaw in a web portal operated” by Kia, which gave the team access to all of the internet-based features in the manufacturer’s cars.
Curry posted a YouTube video that showed him hacking into a 2022 Kia EV6 with a custom app called KIAtool. He first enters the car’s license plate number and US state to obtain its VIN (vehicle identification number). Once all data is obtained, Curry goes to the Garage tab, hits “Unlock”, and presto — the doors are open.
In addition to providing access to controlling vehicles, the web portal flaw also gave hackers a ton of personal information about Kia customers, including names, phone numbers, home addresses, and “past driving routes.”
The researchers informed Kia about the website vulnerability, which has since been patched. Kia said the flaw was never used maliciously and KIAtool was never released to the general public.
So it’s a happy ending, right? Not really. Additional override exploits have been unearthed previously on other car brands, including Honda, Nissan, Mercedes, Hyundai, BMW, and Ferrari.
Also: The NSA advises you to turn off your phone once a week – here’s why
Curry’s team also found a similar flaw on Toyota’s web portal. Toyota was made aware of the problem and quickly patched it. It’s great to see such swift action, but the problem is when there’s one bug, there are always a lot more out there.
Unfortunately, there isn’t much the average car owner can do; carmakers need to make security a top priority. I strongly recommend installing any available software patches to ensure your vehicle has the best protection possible.