Kia just can’t catch a break in terms of vehicle security. After the widely publicized issues with USB-based automobile thefts last 12 months, the automaker now finds itself within the highlight again—this time for distant hacking vulnerabilities that would have allowed attackers to take control of tens of millions of vehicles. For the automotive enthusiast community, this raises serious concerns about how automakers are managing the safety of increasingly connected vehicles.
One other Round of Vulnerabilities
Last 12 months, Kia owners were affected by a series of automobile thefts where bad actors exploited a design flaw, using USB devices to begin and steal vehicles. Now, security researchers have uncovered a fresh set of vulnerabilities—this time in Kia’s online systems—that would have put a good larger variety of cars in danger. Unlike the USB exploit, which required physical access to the vehicle, this latest flaw allowed attackers to remotely control key functions of the automobile from anywhere, using just the vehicle’s license plate number.
Sam Curry, a cybersecurity researcher, along together with his team, discovered these vulnerabilities in Kia’s owners’ portal. This site connects Kia owners to their cars and allows them to perform various tasks like locking and unlocking doors or starting the engine. Unfortunately, the researchers found that hackers could exploit the web site to hijack these functions without the owner ever knowing.
Kia’s Connected Systems Under Siege
It’s no secret that cars have change into way more than mechanical machines. Today, vehicles are fully connected to the web, allowing for distant updates, diagnostics, and even the flexibility to regulate certain features via mobile apps. While this adds convenience, it also opens the door to significant security risks, as this case with Kia shows.
Curry’s team found that by exploiting the Kia owners’ portal, a hacker could gain control over a vehicle’s features in as little as 30 seconds. Much more concerning, the failings exposed the private information of the vehicle owner, equivalent to their name, address, phone number, and email. Once contained in the system, the attacker could also add themselves as a second user to the vehicle without the owner’s knowledge, giving them full access to regulate the automobile.
For the enthusiast crowd who loves pushing the boundaries of technology and performance, the thought of a hacker having the ability to control your ride remotely is terrifying. The vulnerability didn’t just affect one or two models—it impacted nearly every Kia built after 2013. From locking and unlocking doors to starting the engine or honking the horn, a hacker could perform these actions with minimal effort, all through Kia’s own system.
The Technical Breakdown
The flaw lay in how Kia’s system handled internet-to-vehicle commands. The Kia owners’ portal used a backend reverse-proxy system to execute commands, and that is where things went incorrect. Once the researchers gained access, they found they may trick the system into executing commands on behalf of a hacker.
However it wasn’t just the owners’ portal that was vulnerable. Kia’s dealership infrastructure had similar issues, allowing hackers to govern systems related to vehicle lookup, enrollment, and more. Through the use of requests just like those within the owners’ portal, hackers could generate access tokens, which allowed them to call dealer APIs and gain access to a vehicle owner’s sensitive information. With a little bit know-how, they may manipulate the information and assign themselves as primary users of a automobile.
Kia’s Ongoing Battle with Security
Kia has been in the recent seat recently, particularly with the automobile thefts enabled by the USB exploit, a vulnerability that affected 1000’s of cars in the USA. These incidents gave the automaker a fame for poor security, and this latest hacking revelation only adds to that perception. For the automotive enthusiast community, it’s frustrating to see a brand struggle to secure its vehicles, especially when technology is such an integral part of contemporary automobile ownership.
Kia isn’t alone in facing these sorts of issues, however the indisputable fact that they’ve been hit with back-to-back security problems highlights the growing need for automakers to take a position in additional robust cybersecurity measures. As vehicles change into more connected and reliant on software, the risks of hacking are only going to extend.
Kia’s Response and the Road Ahead
To their credit, Kia acted quickly after the vulnerabilities were reported in June 2024. By mid-August, they’d implemented a fix that patched the flaw. Nonetheless, for a lot of, the damage to Kia’s fame was already done. The concept someone could take control of their automobile remotely, combined with the benefit of last 12 months’s USB hack, has left many Kia owners feeling uneasy in regards to the brand’s commitment to security.
For the automotive industry at large, this could function a wake-up call. We’re living in a time when vehicles have gotten just as much about software as they’re about horsepower. Automakers must prioritize cybersecurity just as much as they do performance and reliability. For enthusiasts, a well-built machine means little if it may possibly be controlled by a hacker 1000’s of miles away.
The vulnerabilities discovered by Sam Curry and his team can have been patched, but they function a reminder that connected cars will not be just machines—also they are potential targets. As cars proceed to evolve, security needs to be on the forefront of innovation. Let’s hope Kia—and the complete industry—learns from this incident to maintain our rides secure within the digital age.
FOLLOW US TODAY:
This Article First Appeared At www.automotiveaddicts.com
