Security researchers have historically demonstrated that infiltrating vehicular internet-connected systems is a challenging endeavor. Such demonstrations, such as remotely controlling a Chevrolet Impala in 2010 or a Jeep in 2015, required extensive efforts including reverse engineering the complex coding of car telematics, transmitting malicious software via radio-transmitted audio tones, or infecting the system with malware through a CD. Thankfully, these exploits illustrate the difficulty of hacking into cars.
This summer, a small team of hackers showcased a significantly simpler method to hack and monitor millions of vehicles—a method as straightforward as identifying a basic website bug.
A group of independent security experts recently disclosed a vulnerability they discovered in a web portal managed by car manufacturer Kia. This flaw allowed the team to transfer control of the internet-connected features of many modern Kia vehicles from the owner’s smartphone to the hackers’ device. Using a custom-built app to issue commands, the hackers could quickly pinpoint any internet-connected Kia vehicle by its license plate and gain the capability to track its location, unlock doors, sound the horn, or start the engine within seconds.
After notifying Kia about the issue in June, the carmaker reportedly fixed the vulnerability, although they continue to assess the findings and have not been responsive to follow-up communications. However, this fix is just one step in addressing the broader issue of web-based security vulnerabilities within the auto industry. The exploited web bug was actually the second such vulnerability reported to the Hyundai-owned company by the research team, following a similar discovery last year. These issues are among several web-based vulnerabilities the team has identified across various car brands, including Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more over the past two years. Read more about these vulnerabilities here.
“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,” says Neiko “specters” Rivera, one of the researchers who both found the latest Kia vulnerability and worked with a larger group responsible for collecting web-based car security issues revealed in January of last year.
“Over and over again, these one-off issues keep popping up,” says Sam Curry, another member of the car hacking group, who works as a security engineer for Web3 firm Yuga Labs but says he did this research independently. “It’s been two years, there’s been a lot of good work to fix this problem, but it still feels really broken.”
Before they informed Kia of its latest security vulnerability, the research group tested their web-based method on several Kias—rentals, friends’ cars, and vehicles on dealer lots—and found that it succeeded in every instance. They also presented the method to WIRED, demonstrating it on a 2020 Kia Soul belonging to a security researcher they met just moments before in a parking lot in Denver, Colorado.
The group’s web-based Kia hacking technique doesn’t permit a hacker to control driving systems such as steering or brakes, nor does it override the immobilizer that keeps a car from being driven away, even if its ignition is started. However, it could have been used in conjunction with techniques that disable immobilizers, favored by car thieves, or to steal lower-end cars without immobilizers—including some Kias.
Even without enabling the actual theft of a vehicle, the website flaw posed significant risks including the potential for stealing vehicle contents, harassment of individuals, and broad privacy and security hazards.
“Imagine someone irritates you on the road; with their license plate, you could constantly track their location and potentially break into their vehicle,” Curry explained. “Had we not reported this to Kia, anyone with access to a vehicle’s license plate could essentially track the owner.” Moreover, for vehicles equipped with a 360-degree camera, this feature was also vulnerable to unauthorized access. Curry further noted that the flaw enabled access to a vast array of Kia customer personal data—ranging from names and contacts to addresses and even historical driving patterns—potentially resulting in a substantial data breach.
The vulnerability discovered works by exploiting a simple oversight in the back-end of Kia’s web portal for customer and dealer usage, which controls various connected car features. “By sending commands directly to the web portal’s API—the interface that interacts with the database—we discovered there were no checks in place to prevent someone from gaining access akin to that of a Kia dealer, allowing them to assign or reassign vehicle controls to any account they desired,” Rivera noted. “They weren’t verifying whether a user held dealer status, which is a significant oversight.”
Additionally, though the web portal was designed to look up vehicles by their VIN, the hackers could link a car’s VIN to its license plate number through the usage of the website PlateToVin.com.
More broadly, Rivera adds, any dealer using the system seemed to have been trusted with a shocking amount of control over which vehicles’ features were linked with any particular account. “Dealers have way too much power, even over vehicles that don’t touch their lot,” Rivera says.
Curry and Rivera, who worked with two other researchers to develop their hacking technique, reported their findings to Kia shortly after demonstrating them to WIRED in June, and the company responded to an inquiry from WIRED to note that it was investigating their findings. “We take this matter very seriously, and value our collaboration with security researchers,” a spokesperson wrote.
Shortly after the researchers reported the issue, Kia did make a change to its web portal API that appeared to block their technique, the researchers say. Then, in August, Kia told the researchers it had validated their findings but was still working on implementing a permanent fix for the problem. Kia hasn’t updated the researchers since or responded to WIRED’s questions. But after the standard 90-day window given to companies to fix security issues that researchers report, the hackers decided to go public with their findings—though they haven’t released their Kia-hacking proof-of-concept application and don’t plan to.
The Kia-hacking research group first began to assemble around the idea of probing carmakers’ websites and APIs for vulnerabilities in late 2022. A few of them were staying with a friend on a college campus and messing around with the app for a mobile scooter company when they accidentally triggered all the company’s scooters across the campus to honk and flash their lights for 15 minutes. At that point, the group “became super interested in trying more ways to make more things honk,” as Curry would write—including vehicles more significant than scooters. Soon after, Curry discovered that Rivera, who’d long been focused on car hacking and had previously worked at the carmaker Rivian, was already looking at web vulnerabilities in vehicle telematics.
In January 2023, they published the initial results of their work, an enormous collection of web vulnerabilities affecting Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, and Ferrari—all of which they had reported to the automakers. For at least half a dozen of those companies, the web bugs the group found offered at least some level of control of cars’ connected features, they wrote, just as in their latest Kia hack. Others, they say, allowed unauthorized access to data or the companies’ internal applications. Still others targeted fleet management software for emergency vehicles and could have even prevented those vehicles from starting, they believe—though they didn’t have the means to safely test out that potentially dangerous trick.
In June of this year, Curry says, he discovered that Toyota appeared to still have a similar flaw in its web portal that, in combination with a leaked dealer credential he found online, would have allowed remote control of Toyota and Lexus vehicles’ features like tracking, unlocking, honking, and ignition. He reported that vulnerability to Toyota and showed WIRED a confirmation email seeming to demonstrate that he’d been able to reassign himself control of a target Toyota’s connected features over the web. Curry didn’t film a video of that Toyota hacking technique before reporting it to Toyota, however, and the company quickly patched the bug he’d disclosed, even temporarily taking its web portal offline to prevent its exploitation.
“As a result of this investigation, Toyota promptly disabled the compromised credentials and is accelerating security enhancements of the portal, as well as temporarily disabling the portal until enhancements are complete,” a Toyota spokesperson wrote to WIRED in June.
The extraordinary number of vulnerabilities in carmakers’ websites that allow remote control of vehicles is a direct result of companies’ push to appeal to consumers—particularly young ones—with smartphone-enabled features, says Stefan Savage, a professor of computer science at UC San Diego whose research team was the first to hack a car’s steering and brakes over the internet in 2010. “Once you have these user features tied into the phone, this cloud-connected thing, you create all this attack surface you didn’t have to worry about before,” Savage says.
He expresses disappointment in the vulnerability of web-based programming that controls various features, noting it’s unsettlingly easy to exploit. Rivera, an expert in automotive cybersecurity, notes that automobile companies often prioritize embedded devices over web security. This tendency exists partly because updates to embedded systems are harder and might necessitate recalls. Rivera points out a clear disparity between embedded and web security in the auto sector, highlighting that these areas frequently intersect, yet expertise does not span both domains.
Savage from UCSD hopes the research into hacking Kia vehicles will redirect industry focus toward web security. He recalls significant hacks like the 2015 Jeep takeover and the 2010 Impala hack by his UCSD team, which already pushed automakers to emphasize embedded cybersecurity. Now, he argues, there is a critical need to bolster web security, even if it demands considerable adjustments to their operational approaches.
“How do you justify delaying a car’s release by six months to address web security issues?” he questions. It is a challenging proposition, but he believes such incidents should prompt a deeper evaluation of these decisions.