So, I still receive telemetry information from my old lease car, a Kia e-Niro, to my app. A huge, HUGE privacy issue.
I made sure to remove my profile from the car before turning it in, and doing a factory reset of the car’s software.
I can see everything, AC, whether there are doors open, odometer, and above all, location.
Also tried to see if I can turn off the AC, but any commands throw an error, so disabling my account on the car at least did something 😅
I had it in the Netherlands, it’s in Poland, and it looks like it’s on its way to Ukraine.
Kia, you need to check your security.
Edit:
Holy shit it gets real bad. I can lock and unlock the car.
This 100% needs to be reported. First to KIA, then to the media after whatever time is required to pass for responsible disclosure in your country/region.
Cybersecurity professional here, I’d read up on Kia’s responsible disclosure policy, to avoid any potential trouble, and for guidelines on how to disclose it to them and handle this ethically.
https://www.kia.com/eu/vulnerability-disclosure/
Unfortunately they don’t do bug bounties, which is too bad.
Edit: I wouldn’t listen to people telling you to lock the car, exploit it in other ways or disclosing it to the media first. That is unethical at best and illegal at worst.
This comment is being reported. Did you mean to post a different link?
Oh wow this is very embarassing very sorry about that. Edited to include the proper link.
Thanks!
. I can lock and unlock the car.
Keep it locked once the passenger is out. Maybe then they care.
Meldt het bij tweakers, die willen er vast een artikeltje overschrijven
I can lock and unlock the car that’s I don’t own. This is slightly worrisome, and me and my partner have just decided not to get a eNiro of our own 😅
That’s wild!!
Report it to a local tech site that’s a scandal.
My brother who was working on buying a Kia EV6 could see and track its location before even signing the paperwork. All you need is the VIN.
I bought a used ev6 and the previous owner profile was still on there.
Had to send info including proof of purchase and ID to have that old account removed.
This was from an actual Kia dealer that made it a certified pre-owned as well. I don’t understand why they didn’t have the old account removed.
On some websites, you can get the VIN with just the plate number.
Of course, the VIN is also displayed on the exterior of most cars anyway
HO LY FUCK!
I’ll kill myself before I get a car connected to the internet
Yeah iirc Hyundai/Kia are one of the worst in the car industry when it comes to handling user data.
But think of the shareholder value lost if we invest in that!
Just short it mate.
