Millions of KIA vehicles could be hacked & tracked due to website bug

OVERKILL · Sep 26, 2024

https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/

A bug, found in the KIA website, allowed a hacker with nothing more than a license plate to access not only the vehicle's location, but it's location history as well as functions like unlocking it and starting it, honking the horn...etc. And this applied to basically any internet-connected KIA vehicle.

Researchers alerted Kia to the problem in June, at which point Kia implemented a fix.

More troubling is that this is the 2nd bug of this type that they've reported to Hyundai/KIA/Genesis within the last year. They've also found similar web vulnerabilities for Honda/Acura and Nissan/Infiniti as well as Toyota (and I'd assume Lexus).

Somewhat terrifying quote from the article:

“If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car,” says Curry. “If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.” For Kias that come installed with a 360-degree camera, that camera, too, was accessible to hackers. Beyond allowing the hijacking of connected features in cars themselves, Curry says, the web portal flaw also allowed hackers to query a broad range of personal information about Kia customers—names, email addresses, phone numbers, home addresses, and even past driving routes in some cases—a potentially massive data leak.

Skippy722 · Sep 27, 2024

OVERKILL said:
nothing more than a license plate to access not only the vehicle's location, but it's location history as well as functions like unlocking it and starting it, honking the horn...etc. And this applied to basically any internet-connected KIA vehicle.

All those “you don’t need to obscure your license plates!” people have some explaining to do…

And yes I realize some low life could do the same on your daily commute or whatever, but that’s a fair bit better than the entire internet knowing.

Jetronic · Sep 27, 2024

good thing my cars aren't connected to the net

factorytuned2012 · Sep 27, 2024

Yeah I’m glad I got dumb cars

andrew_j · Sep 27, 2024

Not a bug as much as security oversight.

97prizm · Sep 27, 2024

andrew_j said:
Not a bug as much as security oversight.

It isn't just vehicles now with this issue. I think several appliances like washer and dryers along with certain refrigerator models also had no security with their connections.

zzyzzx · Sep 27, 2024

So, they can find you stolen KIA now, unless it caught fire?

Sequoiasoon · Sep 27, 2024

Or didn't move to religious motors.

4WD · Sep 27, 2024

97prizm said:
It isn't just vehicles now with this issue. I think several appliances like washer and dryers along with certain refrigerator models also had no security with their connections.

Long live knobs !

4WD · Sep 27, 2024

Skippy722 said:
All those “you don’t need to obscure your license plates!” people have some explaining to do…

And yes I realize some low life could do the same on your daily commute or whatever, but that’s a fair bit better than the entire internet knowing.

Knew this was coming … I’m a proud scribblerouter …

KrisZ · Sep 27, 2024

Skippy722 said:
All those “you don’t need to obscure your license plates!” people have some explaining to do…

And yes I realize some low life could do the same on your daily commute or whatever, but that’s a fair bit better than the entire internet knowing.

Yeah, some people in that thread were quite adamant that its a crazy thing to do because there is nothing that can be done with just a license plate. Well, that's obviously not true.

Road rage is one thing, imagine getting your vehicle hacked and your location revealed only because of some stupid internet argument. People can be super vindictive given the chance and opportunity.

Urshurak776 · Sep 27, 2024

Any way I can send my address to the hackers to come get my KIA so I can get the insurance pay out?

Blinker · Sep 27, 2024

Skippy722 said:
All those “you don’t need to obscure your license plates!” people have some explaining to do…

And yes I realize some low life could do the same on your daily commute or whatever, but that’s a fair bit better than the entire internet knowing.

Your license plate is on full display in real life anytime the vehicle is in public for anyone to see.

Tdbo · Sep 27, 2024

The "Boyz" will find this helpful, I'm sure.

BHopkins · Sep 27, 2024

Isn't this more about the lack of security of Kia cars, than it is about license plates being obscured? Kia has demonstrated in at least two instances now, that they take very lightly the security of the cars that they sell. None of us should be surprised.

racer12306 · Sep 27, 2024

97prizm said:
It isn't just vehicles now with this issue. I think several appliances like washer and dryers along with certain refrigerator models also had no security with their connections.

This is an IoT problem in general. Some of the worst are cheap wifi cameras because the cost of obtain is so low.

loneryder · Sep 27, 2024

OVERKILL said:
https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/

A bug, found in the KIA website, allowed a hacker with nothing more than a license plate to access not only the vehicle's location, but it's location history as well as functions like unlocking it and starting it, honking the horn...etc. And this applied to basically any internet-connected KIA vehicle.

Researchers alerted Kia to the problem in June, at which point Kia implemented a fix.

More troubling is that this is the 2nd bug of this type that they've reported to Hyundai/KIA/Genesis within the last year. They've also found similar web vulnerabilities for Honda/Acura and Nissan/Infiniti as well as Toyota (and I'd assume Lexus).

Somewhat terrifying quote from the article:

At first glance, I thought Killed In Action vehicles.

Rand · Sep 27, 2024

Yikes!

bdcardinal · Sep 27, 2024

Blinker said:
Your license plate is on full display in real life anytime the vehicle is in public for anyone to see.

So many people clutch their pearls when I ask for a VIN to look up a part. They think it is like a social security number and fail to realize it is in plain view for all to see.

Brons2 · Sep 27, 2024

OVERKILL said:
https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/

A bug, found in the KIA website, allowed a hacker with nothing more than a license plate to access not only the vehicle's location, but it's location history as well as functions like unlocking it and starting it, honking the horn...etc. And this applied to basically any internet-connected KIA vehicle.

Researchers alerted Kia to the problem in June, at which point Kia implemented a fix.

More troubling is that this is the 2nd bug of this type that they've reported to Hyundai/KIA/Genesis within the last year. They've also found similar web vulnerabilities for Honda/Acura and Nissan/Infiniti as well as Toyota (and I'd assume Lexus).

Somewhat terrifying quote from the article:

Was this actually exploited, or just a possibility stemming from a vulnerability or misconfiguration?

Millions of KIA vehicles could be hacked & tracked due to website bug

OVERKILL

$100 Site Donor 2021

Skippy722

Jetronic

factorytuned2012

andrew_j

97prizm

zzyzzx

Sequoiasoon

4WD

$50 site donor 2025

4WD

$50 site donor 2025

KrisZ

Urshurak776

Blinker

Tdbo

BHopkins

racer12306

loneryder

Rand

bdcardinal

Brons2

Similar threads