### The Surge of Car Hacking: How Flaws in Web Portals are Exposing Millions of Vehicles to Danger
Historically, hacking a car was an intricate and lengthy endeavor, often demanding significant technical expertise and access to obscure systems. Notable incidents of car hacking, such as the 2010 Chevrolet Impala and the 2015 Jeep Cherokee breaches, illustrated that, while feasible, these exploits were hard to achieve. Researchers often had to reverse-engineer telematics systems, utilize audio signals to inject harmful software, or even play malware-infected CDs through the car’s entertainment system. However, recent advancements in car hacking indicate a troubling shift in the landscape.
In 2023, a collective of independent security researchers unveiled a far more straightforward and distressing technique to hack and monitor millions of vehicles. By leveraging a flaw in Kia’s web portal, the researchers gained command over the connected functionalities of Kia vehicles, such as tracking their locations, unlocking doors, sounding horns, and even igniting the engine. This weakness was not a one-off case, but part of a growing trend of online security flaws impacting various car brands.
### A Minor Glitch, A Monumental Issue
The glitch in Kia’s web portal was incredibly basic. The researchers found that by taking advantage of a vulnerability in the backend of Kia’s site, they could transfer control of a vehicle’s connected functionalities from the owner’s smartphone to their devices. All that was required was the vehicle’s license plate number, which could easily be transformed into a Vehicle Identification Number (VIN) using publicly accessible tools like PlateToVin.com. Once armed with the VIN, they could employ Kia’s web portal to access the car’s connected features.
This weakness permitted the researchers to monitor the vehicle’s location, unlock doors, and even start the engine. Although the hack did not grant them access to critical driving mechanisms like steering or braking, it nonetheless posed serious threats. For instance, a hacker could exploit this vulnerability to pilfer a vehicle’s contents, intimidate drivers, or even track individuals by surveilling their vehicle’s movements.
The researchers evaluated their method on several Kia models, including rental vehicles, cars belonging to friends, and those found on dealership lots. In each instance, the hack was executed flawlessly. They even showcased the method to *WIRED* using a 2020 Kia Soul, illustrating how effortlessly they could seize control of the car’s connected features.
### Kia’s Reaction and the Broader Industry Dilemma
Following the discovery of the vulnerability in June 2023, Kia promptly resolved the issue in its web portal. However, the researchers pointed out that this was not their first encounter with such a flaw in Kia’s systems. In fact, they had reported a similar problem the year prior. This recurring pattern of vulnerabilities exposes a larger issue within the automotive sector: inadequate web security.
The researchers emphasized that Kia’s web portal granted dealers excessive control over vehicles, even those not present on their lots. The system failed to adequately verify a user’s status as a dealer, enabling hackers to exploit dealer-level privileges to seize control of a car’s connected functionalities. This degree of access, coupled with the simplicity of obtaining a vehicle’s VIN, rendered the vulnerability particularly perilous.
Kia is not the sole entity grappling with these challenges. The same group of researchers has identified comparable vulnerabilities in the web portals of several major automotive brands, including Acura, Honda, Hyundai, Infiniti, Toyota, and beyond. In January 2023, they published a report outlining a multitude of web-based vulnerabilities affecting various car manufacturers. Some of these flaws allowed hackers to manipulate connected features such as unlocking doors and starting engines, while others exposed sensitive customer information, including names, addresses, and driving patterns.
### The Expanding Attack Surface of Connected Vehicles
The emergence of connected cars—vehicles equipped with internet-enabled features manageable via smartphone applications—has significantly broadened the attack surface for cybercriminals. Features such as remote unlocking, GPS tracking, and even remote starting are attractive to consumers, particularly younger drivers. However, these conveniences bring substantial security hazards.
Stefan Savage, a computer science professor at UC San Diego and a pioneer in car hacking studies, remarked that the demand for smartphone-enabled features has introduced new vulnerabilities. “Once you have these user features linked to the phone, this cloud-connected aspect, you generate all this attack surface you didn’t need to be concerned about before,” he stated.
While car manufacturers have made progress in safeguarding the embedded systems responsible for critical operations like steering and braking, web security has often been neglected. Updating embedded systems poses challenges and may result in costly recalls, leading manufacturers to concentrate their efforts there. Nevertheless, as the recent wave of web-based vulnerabilities illustrates, web security is equally essential.
### The Imperative for Enhanced Web Security in the Automotive Sector
The vulnerabilities highlighted by the researchers serve as an alert for the automotive industry. As vehicles become increasingly connected, manufacturers must emphasize
