Millions at Risk: Kia Exploit

Welcome reader to your CybersecurityHQ report

Brought to you by:

Cypago - Enterprise-grade Cyber GRC Platform

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

—

New Kia Flaw Allows Hackers to Control Millions of Cars—Is Your Vehicle at Risk?

Security researchers have been probing connected vehicle systems for over a decade, uncovering vulnerabilities in ways that often took considerable effort. Early hacks—like the ones that compromised a Chevrolet Impala in 2010 or a Jeep in 2015—required reverse engineering obscure code and delivering malware via unconventional methods like radio signals or even CDs.

Fast forward to this summer, and the process of hacking cars has gotten alarmingly simpler. A small team of independent researchers found a way to exploit a vulnerability in Kia's web portal, potentially giving hackers control over millions of vehicles by exploiting a bug as trivial as one found on a basic website.

The flaw they uncovered allowed the researchers to reassign control of various Kia vehicles’ internet-connected features—such as unlocking doors or starting the ignition—by taking advantage of Kia’s web infrastructure. By using a custom-built app, they were able to scan a car’s license plate, link it to a vehicle identification number (VIN), and effectively hijack the owner’s control via their own devices.

Kia was alerted to the problem and patched the vulnerability, but this isn’t the first time the carmaker has dealt with such a flaw. Similar bugs have been found in other auto manufacturers, including Honda, Toyota, and Hyundai. While Kia appears to have blocked this specific method, researchers warn that the problem of car security is far from resolved.

"The web security for vehicles is incredibly poor," said one of the researchers. "With just a license plate number, a hacker could stalk someone, unlock their car, and track their location. The systems were wide open."

The researchers' findings underscore a broader issue in the automotive industry: the focus has traditionally been on the security of the embedded systems within vehicles, but the web portals connected to these systems have lagged behind in terms of security. While car companies have worked to harden their vehicles' physical security, the shift toward smartphone-enabled features has introduced new vulnerabilities.

"There's a huge gap between how companies secure their embedded devices and how they handle web security," the researchers said. "The web systems are an afterthought."

These discoveries highlight a fundamental shift in the way cars are hacked, with modern exploits leveraging gaps in connected services rather than physical weaknesses in the vehicle itself. As connected features become a selling point for younger buyers, the attack surface grows. While automakers have made strides in securing cars' internal systems, the shift to more connected, cloud-based services has created new opportunities for bad actors.

For now, Kia has fixed the immediate flaw, but as long as cars continue to depend on vulnerable web portals, the battle between hackers and automakers will rage on.

Why Weak Hashing Algorithms Like SHA1 and MD5 Can Expose Your Data to Cyber Threats

For a hashing scheme to do its job effectively, it has to meet a series of critical requirements. One of the key factors is that the hashing algorithm needs to demand significant computing resources to operate. Algorithms like SHA1 and MD5 fail this test, as they were designed to hash data quickly with minimal computational effort. That makes them unsuitable for modern password protection. In contrast, algorithms like Bcrypt, PBKDF2, and SHA512crypt, which are purpose-built for hashing passwords, are intentionally slow and consume large amounts of memory and processing power—an essential characteristic for securing sensitive information.

Another key requirement is the use of cryptographic "salting." This process involves adding random characters to a password before it’s hashed, ensuring that even if two users have the same password, their hashes will be different. Salting significantly increases the difficulty of cracking passwords, which typically involves attackers guessing vast numbers of potential combinations—often measured in the hundreds of millions—and comparing each hashed guess to those found in compromised databases.

The ultimate goal of hashing is to ensure that passwords are stored in a secure, unreadable format, never as plaintext. This makes it exponentially harder for hackers or malicious insiders to exploit the data without investing significant resources into breaking the hash.

When Meta admitted in 2019 that it had stored hundreds of millions of user passwords in plaintext, it was clear the company had failed to meet these basic security standards.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” said Graham Doyle, deputy commissioner at Ireland’s Data Protection Commission. “It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

Fast forward to this week: the Data Protection Commission, the lead EU regulator for most U.S. tech giants, imposed a $101 million fine on Meta following its five-year investigation. This is just the latest in a string of penalties for GDPR violations since the law came into force in 2018. With more than $2.23 billion in fines so far, including a record $1.34 billion last year, Meta’s European legal troubles seem far from over as they continue to appeal these massive penalties.

Stay Safe, Stay Secure.

The CybersecurityHQ Team