Concerns over the security of connected vehicles have been heightened following the recent discovery of a vulnerability in Kia vehicles that allowed attackers to remotely control key functions using just license plate information. Independent security researchers alerted Kia to the issue, prompting them to address and fix the flaw in mid-August.
The vulnerability, discovered by researcher Sam Curry and his colleagues during follow-up research on multiple flaws in various car models, allowed attackers to exploit the application programming interface (API) protocols in Kia automobiles. By registering a dealer account and authenticating it, attackers could access APIs usually reserved for dealers, enabling them to control functions like locking and unlocking vehicles, starting and shutting down the engine, and activating headlights and horns based on license plate information.
This issue is not isolated to Kia vehicles, as similar vulnerabilities have been found in other automobile brands in recent years. The complexity of the API protocols used in connected cars, such as gRPC, MQTT, and REST, poses challenges for automakers in ensuring the security of their vehicles against unauthorized access.
Experts in cybersecurity emphasize the need for stronger authentication methods and secure communication channels to protect against potential cyberattacks on connected vehicles. Ivan Novikov, CEO of API security firm Wallarm, underscores the importance of enhancing cybersecurity measures in the automotive industry to mitigate these risks effectively.
Akhil Mittal, senior manager of cybersecurity strategy and solutions at Synopsys Software Integrity Group, points out that vulnerabilities in connected vehicles often stem from systems that communicate with external entities, like vehicle telematics systems and infotainment systems. The recent hack on Kia vehicles serves as a reminder of the potential weaknesses in APIs and cloud services, which can be exploited by hackers to gain access to critical vehicle functions.
The growing pattern of cybersecurity issues in connected vehicles has raised concerns among lawmakers and industry experts. Two US senators, Sens. Ron Wyden and Edward Markey, criticized automakers like General Motors, Honda, and Hyundai for collecting extensive data from connected vehicles without proper oversight. This data collection underscores the need for greater scrutiny of automaker practices to protect consumer privacy and security.
David Brumley, CEO of software security firm ForAllSecure, questions the responsibility of automotive vendors in ensuring the security of connected vehicles and calls for action to address these vulnerabilities effectively. The lack of oversight and regulation in the automotive industry has sparked worries among consumers about the safety and privacy of their personal information in connected vehicles.
Kia Motors has yet to provide a statement in response to inquiries about the vulnerability in their vehicles. As technology advances and vehicles become more connected, it is crucial for automakers to prioritize cybersecurity measures to safeguard against potential cyber threats and protect consumer safety.