Hackers Demonstrate They Can Remotely Hack Kia Vehicles – Just By Scanning a License Plate

​A small but determined group of security researchers revealed that they discovered a way to remotely hack Kia vehicles, shining a light on what has become a systemic problem for modern car manufacturers: web security.
 
An article over at Wired details how the group of hackers exploited a web portal flaw which allowed them to “reassign control of the internet-connected features of most modern Kia vehicles,” granting them the ability to “track that car’s location, unlock the car, honk its horn, or start its ignition at will.”
 
It’s the latest demonstration of just how lacking web security is for many modern vehicles. Back in 2023, the same group published extensive findings showing that they could, to some degree or another, hack cars manufactured by Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota and more.
 
The way it works, broadly, is that by leveraging weaknesses in a car company’s web portal, a hacker can send direct commands to the site’s API, which is what allows programmers to manipulate online data. In Kia’s case, the hackers were able to essentially pretend to be dealers, who often manage connected car features remotely. Most alarmingly, they were able to do so just by reading a license plate and then looking up the associated VIN number via PlateToVin.com. The whole process takes about 30 seconds.
 
Said one researcher, “Dealers have way too much power, even over vehicles that don’t touch their lot.”
 
To say nothing of the possibilities for harassment and theft, the Kia debacle proves how easy it is to surveil drivers’ movements with just a little tech savvy and elbow grease. Virtually all modern cars have internet-connected devices, and it appears many of them also have lax security features. Kia wasn’t even checking whether a user of its web portal was a consumer or a dealer.
 
Kia, as of August, had apparently not fixed the problem, which hardly constitutes “movement that inspires.” But the fact is, all car companies need to be thinking about this issue – before the real criminals catch on.