There for a while, Kia and Hyundai owners couldn’t go a week without receiving some not-so-good news about their cars’ security. This time, a bug with Kia’s web portal allowed white-hat ethical hackers to access millions of vehicles and remotely control their internet-connected features. And before you run out to your late-model Kia and delete every connected app, know that the automaker has created a patch to fix the security vulnerability. Your car will not start on its own. For now.
As Wired reports, a group of independent security researchers informed Kia of the issue in June. The weak security was related to the Kia Connect owner’s portal, an infotainment and telematics service that allows remote access for certain features. Many automakers offer a similar connectivity app for vehicles equipped with advanced telematics systems, all of which feature “connect” or “link” in their names.
The researchers found they could hijack any connected Kia vehicle within 30 seconds by simply scanning the vehicle’s license plate. This enabled them to control the locks, honk the horn, track its location, and activate the remote start feature.
The cyberattacks did not, however, allow access to driving-related systems, like the brakes or steering, or the engine immobilizer (the viral Hyundai Group headache). But there’s almost always a loophole and inquisitive criminals could combine remote hacking with in-car security defeats to steal the vehicle. Or, maybe it’s not about the car in the first place but identity theft. With the security breach, a vehicle owner’s personal information is up for grabs.
“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,” said Neiko Rivera, one of the car telematics researchers and a former Rivian employee. “Over and over again, these one-off issues keep popping up,” added Sam Curry, another research group member. “It’s been two years. There’s been a lot of good work to fix this problem, but it still feels really broken.”
The group has indeed worked on its security research for the last couple of years, having found another Kia security flaw last year. But its research has less to do with Kia but with connected car security as a whole. In June, the group learned it could access Lexus and Toyota vehicles the same way it did with the Kias. Though, back in January 2023, the group released a massive report that affected a multitude of automakers, including Acura, BMW, Ferrari, Genesis, Honda, Infiniti, Mercedes-Benz, Nissan, and Rolls-Royce. After multiple tests confirmed the initial findings, the group always shares its hacking technique with the automaker.
And such is the Internet of Things. The convenience is appealing and, let’s face it, the big marketing sell. But at what cost? Your personal information being used to track you after you cut someone off in traffic, are a left-lane hogger, or they’re just having a bad day and you’re in their way? Losing control of your vehicle, even if just to maintain the climate control or the power windows? The World Wide Web is still the Wild, Wild West.
During his time at Rivian, Rivera found that automakers are more focused on “embedded” devices, the cloud-connected stuff in non-traditional computer environments, as opposed to cybersecurity for two low-tech reasons: time and money.
“It was clear ever since I started that there was a glaring gap between embedded security and web security in the auto industry,” said Rivera. “These two things mix together very often, but people only have experience in one or the other.”
You can learn more about the group’s recent Kia hacking research here and about the large-scale hack from January 2023 here.