A recent glitch found in Kias has highlighted cybersecurity vulnerabilities in connected vehicles.
According to a report from the cybersecurity publication Dark Reading, the flaw was found earlier this month by independent researcher Sam Curry while he was conducting follow-up research on other vehicles.
That research, the report said, showed how anyone could take advantage of the vulnerabilities in basic vehicle commands to take over an owner’s account and lock them out of managing their own car. In other cases, vulnerabilities allowed hackers to gain remote access to a vehicle’s camera and see live images from inside the vehicle.
The new issue involved application programming interface (API) protocols which enable internet-to-vehicle commands on Kias.
The researchers, the report said, discovered that it was relatively easy to register a Kia dealer account and access to the dealer APIs, which they could then use to enter a car’s plate information and get the data they needed to control vehicle functions.
“The recent discovery underscores the intricate challenges posed by the complex API protocols … used in connected cars,” Ivan Novikov, CEO of API security firm Wallarm, told Dark Reading. “Automakers must prioritize enhancing their cybersecurity measures by implementing stronger authentication methods and securing communication channels to protect against unauthorized access.”
The report comes as U.S. officials are sounding the alarm about possible cyberthreats posed by connected cars.
The Commerce Department recently introduced regulations that would ban connected vehicle technology from China and Russia. As noted here last week, this proposal “marks a significant shift in the approach to national security and cybersecurity within the automotive sector.”
Once it’s final, the rule would forbid the import or sale of connected vehicles and related components that are designed, developed or manufactured by entities linked to China or Russia. This regulation targets “vehicle connectivity systems” (VCS) like Bluetooth, satellite, cellular and Wi-Fi modules, along with “automated driving systems” (ADS) that let vehicles operate autonomously.
The first part of the proposed ban would take effect with model year 2027, in other words, the beginning of 2026.
Earlier this year, Alan Estevez, the department’s export controls chief, stressed the risks associated with the vehicles.
“A car is formidable,” he said. “Your vehicle gathers a wealth of information about you, from software updates to driving habits, connectivity to personal devices and location tracking.”