Image from Freepik
Kia’s Security Flaw Lets Hackers Seize Control Of Vehicles Using License Plates
- Written by Kiara Fabbri Former Tech News Writer
- Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor
In a Rush? Here are the Quick Facts!
- Vulnerability discovered in Kia’s systems exposes millions to potential hacking risks.
- License plate access lets hackers control key functions, including unlocking doors.
- Kia’s fix for the vulnerability remains incomplete, allowing ongoing security issues.
A recent investigation has uncovered a security vulnerability in Kia’s internet-connected systems, exposing millions of vehicles to potential hacking.
Independent security researchers discovered that by having a Kia vehicle’s license plate, one could hack into the car and gain unauthorized control over key functions, such as unlocking doors, tracking location, and even starting the ignition—in just seconds.
The researchers, who previously identified similar vulnerabilities across various automakers, alerted Kia to this issue in June. Although the company implemented a fix, it appears the problem has not been fully resolved.
“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,” said Neiko Rivera, one of the researchers involved in the discovery, as reported by WIRED .
During their investigation, the researchers found a vulnerability in a web portal operated by Kia. This flaw allowed them to take control of the internet-connected features in most modern Kia vehicles.
The affected models represent millions of cars on the road. By exploiting this vulnerability, the researchers could transfer control from the vehicle owner’s smartphone to their own devices.
According to Sam Curry, another member of the research team, this flaw could enable a hacker to monitor a person’s movements.
“If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car,” Curry told WIRED.
“If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.”
The researchers tested their method on various Kia vehicles, including rentals and cars on dealer lots, confirming its effectiveness across the board.
To illustrate how easily these vulnerabilities could be exploited, the researchers created a user-friendly dashboard.
This tool allowed users to input a license plate number and retrieve the owner’s personal information, demonstrating how an attacker could take over a vehicle and exert control.
The dashboard included a form that converted the license plate number into the vehicle identification number (VIN). A “Takeover” button executed a series of steps to gain access to the vehicle.
Additionally, another button displayed the owner’s personal information. Finally, a “Garage” tab enabled the attacker to execute commands on the compromised vehicles.
WIRED highlights that the numerous vulnerabilities in car manufacturers’ websites, which enable remote control of vehicles, stem from a push to attract consumers with smartphone-enabled features.
Stefan Savage, a computer science professor at UC San Diego, emphasizes that the integration of these features heightens security risks, as noted by WIRED.
Meta Fined $101.5 million For Password Security Breach
- Written by Kiara Fabbri Former Tech News Writer
- Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor
In a Rush? Here are the Quick Facts!
- Meta was fined €91 million for inadequate password security measures.
- MPIL stored user passwords in plaintext without encryption or protection.
- DPC identified multiple GDPR violations in its findings.
The lead European Union’s privacy regulator has fined Meta €91 million ($101.5 million) for inadequate security measures regarding user passwords.
Today, the Irish Data Protection Commission (DPC) announced its final ruling in an inquiry involving Meta Platforms Ireland Limited (MPIL).
The announcement reads that the inquiry began in April 2019 when MPIL reported that it had mistakenly stored certain social media users’ passwords in “plaintext,” meaning they were kept without any encryption or cryptographic protection on its internal systems.
Deputy Commissioner Graham Doyle emphasized the severity of storing passwords in plaintext, stating on the announcement,
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”
“It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts,” he added.
In June 2024, the DPC submitted a draft decision regarding the case to other concerned supervisory authorities across the European Union and European Economic Area.
Since no objections were raised against the draft, the DPC proceeded to finalize its decision. On September 26, the DPC informed MPIL that it would face a reprimand along with a hefty fine of €91 million (approximately $101.5 million) for its negligence.
Furthermore, the commission noted that MPIL did not document the breaches. Additionally, the DPC found that MPIL had not implemented appropriate technical or organizational measures to safeguard users’ passwords from unauthorized access.
Finally, the DPC accuses MPIL of failing to implement adequate security measures appropriate for the risks associated with password processing.
According to a Meta spokesperson in an email to Bloomberg , the issue was discovered during a security review in 2019.
The spokesperson wrote, “We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly.”
“We pro actively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry,” the spokesperson stated.
This underscores the company’s ongoing struggles with privacy compliance and raises questions about its ability to effectively protect user data.
