When security researchers in the past found ways to hijack vehicles’ Internet-connected systems, their proof-of-concept demonstrations tended to show, thankfully, that hacking cars is hard. Exploits like the ones that hackers used to remotely take over a Chevrolet Impala in 2010 or a Jeep in 2015 took years of work to develop and required ingenious tricks: reverse engineering the obscure code in the cars’ telematics units, delivering malicious software to those systems via audio tones played over radio connections, or even putting a disc with a malware-laced music file into the car’s CD drive.

This summer, one small group of hackers demonstrated a technique to hack and track millions of vehicles that’s considerably easier—as easy as finding a simple bug in a website.

Today, a group of independent security researchers revealed that they’d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the Internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group’s findings and hasn’t responded to WIRED’s emails since then. But Kia’s patch is far from the end of the car industry’s web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias’ digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

Share.
Leave A Reply

Exit mobile version