BrianKrebsSep 26, 2024

Heads up to Kia owners/potential buyers: Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/

Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug

Researchers found a flaw in a Kia web portal that let them track millions of cars, unlock doors, and start engines at will—the latest in a plague of web bugs that’s affected a dozen carmakers.

WIRED
Show threadNonya Bidniss 🥥🌴Sep 26, 2024
@briankrebs I read the story and I have the impression that if you never put the app on your phone you're ok??? I hate all these connected cars and if or when I have to get a new car I won't be installing any app on my phone. I don't care about any blinkenlights that won't work without it.
Show threadKrupoSep 26, 2024
@Nonya_Bidniss @briankrebs they said even cars on dealer lots (which presumably aren't registered) would be affected and were tested....
Show threadT.J. Crowder
@krupo I'd assume those cars were registered to a phone at the dealership for showing off the phone-related features.
Sep 27, 2024 at 8:41amWeb
Show threadKrupoSep 27, 2024

@tjcrowdertech doubtful based on my car dealership experiences.

Highly doubtful.

The article itself has an embedded video where they talk about having to take a little longer to hack the car if they need to associate it to a profile / account if it hadn't been setup already. And still hackable.

So that testimonial evidence is even more convincing.