Millions of cars around the world could be hacked and tracked because of a simple glitch in a website.
While hacking an internet-connected car has historically been a near-impossible task, a small group of hackers recently found a much simpler technique to hack and track millions of vehicles. The point of departure is a simple glitch on the website of automaker Kia.
With this flaw, the hackers created an app that could control any internet-connected Kia. Using a smartphone, they were able to track the car’s location, unlock it, honk the horn, and even start it at will.
After researchers alerted Kia to the issue in June 2024, the company patched the vulnerability on its web portal. However, the problem doesn’t seem to end there, as in 2023 they discovered a similar technique to hijack the digital systems of Kia vehicles. These flaws are just two in a series of similar web vulnerabilities discovered over the past two years that affected vehicles sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and others.
According to Nico “Spectres” Rivera, one of the researchers who discovered the latest Kia vulnerabilities, he revealed: “The more we investigated, the more it became clear that the web security of vehicles is extremely weak.”
In that sense, he asserted that “if we don’t bring this to Kia’s attention, anyone who can check someone’s license plate can basically go after them.” According to Carey, the failure of the web portal also allowed hackers to consult a wide range of personal information about Kia customers such as name, phone number, and home address, among other data.