Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug
October 10, 2024 at 09:54PMHas your Kia started up on its own? You might be the victim of a flaw in Kia’s web portal that allows hackers to wrest control of cars away from unsuspecting owners. For Wired, Andy Greenberg reports on a bug that researchers have discovered affects any internet-connected Kia. While the vulnerability doesn’t make it possible to move the vehicle (yet), critical safety concerns remain.
By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.
The group’s web-based Kia hacking technique doesn’t give a hacker access to driving systems like steering or brakes, nor does it overcome the so-called immobilizer that prevents a car from being driven away, even if its ignition is started. It could, however, have been combined with immobilizer-defeating techniques popular among car thieves or used to steal lower-end cars that don’t have immobilizers—including some Kias.
Even in cases when it didn’t allow outright theft of a car, the web flaw could have created significant opportunities for theft of a car’s contents, harassment of drivers and passengers, and other privacy and safety
“If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car,” says Curry. “If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.” For Kias that come installed with a 360-degree camera, that camera, too, was accessible to hackers. Beyond allowing the hijacking of connected features in cars themselves, Curry says, the web portal flaw also allowed hackers to query a broad range of personal information about Kia customers—names, email addresses, phone numbers, home addresses, and even past driving routes in some cases—a potentially massive data leak.
from Longreads https://longreads.com/2024/10/10/millions-of-vehicles-could-be-hacked-and-tracked-thanks-to-a-simple-website-bug/
via IFTTT
Watch