In recent years, car hacking has moved from a niche concern to a widespread reality, with new exploits increasingly targeting the web-based systems that power modern vehicles. For a long time, such hacks were seen as complex and challenging. Researchers took years to find ways to exploit vehicles, like in the famous cases of the 2010 Chevrolet Impala or the 2015 Jeep hack, both of which required a deep understanding of car software and hardware. But the game has changed. This summer, a group of independent security researchers demonstrated a much easier way to hack vehicles, targeting millions of cars through a simple flaw in a web portal.
Their latest findings focus on Kia, the automaker owned by Hyundai. By exploiting a vulnerability in Kia’s web portal, the researchers were able to take control of internet-connected features in virtually any modern Kia vehicle. Using a custom-built app, they could track a vehicle’s location, unlock doors, honk the horn, or even start the ignition—actions that could lead to severe privacy violations and security risks for millions of drivers.
What makes this exploit even more concerning is its simplicity. The flaw wasn’t buried deep in the car’s complex telematics systems but in the basic backend of a website that both Kia dealers and customers use to manage vehicle features. By sending commands directly to this web portal’s API, the researchers found that they could impersonate a dealer and reassign control of any Kia’s connected systems to their own account.
The flaw, once discovered, was shockingly easy to exploit. All it took was finding a car’s VIN (Vehicle Identification Number), something they could quickly obtain through its license plate number, a task made even simpler by using a site like PlateToVin.com. This vulnerability, once exploited, allowed the hackers unprecedented control over Kia’s connected features.
Thankfully, after the researchers alerted Kia to the issue, the automaker moved quickly to patch the vulnerability in its web portal. However, Kia’s fix may only be temporary. The researchers point out that this was the second such flaw they had found in Kia’s system, following a similar issue reported last year. In fact, the problem isn’t confined to Kia. Acura, Honda, Toyota, and several other major automakers have all been affected by similar vulnerabilities in recent years, pointing to a much broader problem in the car industry’s web security.
As researcher Neiko Rivera noted, “Web security for vehicles is very poor.” The team’s findings echo a growing concern that carmakers aren’t doing enough to secure the digital systems in their vehicles, leaving millions of drivers vulnerable to privacy breaches, harassment, and even theft.
While the team’s research did not enable control over critical driving systems like brakes or steering, the ability to unlock a car, track its location, or access personal data from Kia’s customer database is alarming. A more sophisticated attacker could combine this vulnerability with other methods used by car thieves, increasing the potential for malicious exploitation.
The car hacking group has now gone public with its findings, choosing not to release their proof-of-concept application to avoid malicious use. Still, their work raises important questions about the security of modern cars and the responsibilities automakers have to protect their customers from digital threats. This story is a stark reminder that as vehicles become more connected, they also become more vulnerable. Car manufacturers must prioritize robust web security measures, or incidents like these may only become more common.
