Security researchers have discovered a critical flaw in Kia’s dealer portal. The security bug can be exploited by threat actors to locate and illegally gain access to millions of Kia cars made after 2013 using just the vehicle’s license plate, a report from Bleeping Computer said.

The security bug could also be used to control any Kia vehicle equipped with remote hardware in under 30 seconds and expose personal information of the owners. This includes names, phone numbers, email address, and physical address.

Attackers can reportedly exploit the bug to add themselves as a secondary user to the vehicle without the owner’s knowledge.

To demonstrate the gravity of the bug, researchers engineered a tool that allowed them to remotely unlock the vehicle, start or stop the engine, honk the horn and pinpoint the location of the vehicle.

The security researchers who found the bug in Kia’s portal had earlier in 2022 discovered similar vulnerabilities impacting over a dozen car companies that could be exploited to remotely locate, disable starters, unlock and start over 15 million vehicles from renowned makers including Ferrari, BMW, Rolls Royce, and Porche.

The reported vulnerabilities have now been fixed by Kia and the company has responded saying that the bug was never actively exploited in the wild.

However, the news raises important questions about privacy and security of owners. Earlier in 2023, a study from the Mozilla Foundation said cars scored worst for privacy among more than a dozen product categories — including fitness trackers, reproductive-health apps, smart speakers and other connected home appliances — that Mozilla has studied since 2017.

The proliferation of sensors in automobiles — from telematics to fully digitised control consoles — has made them prodigious data-collection hubs, often raising concerns around their data privacy policies and its implementation.

Published - September 27, 2024 12:09 pm IST