The V16 wanted to replace the triangle and reduce risks. They have ended up proving that they can also create them

On January 1, 2026, it will be mandatory to carry in the car an approved V16 beacon. The introduction of this device is surrounded by a great controversy regarding its implementation, its real usefulness or the emergence of illegal devices. What has just been discovered is that more than 250,000 beacons are affected by serious cybersecurity vulnerabilities. It is the umpteenth disaster that affects these devices.

what has happened. Luis Miranda Acebedo, cybersecurity expert, has published a complete and in-depth analysis of the digital security (or rather, lack thereof) of one of these V16 beacons. Specifically, the Help Flash IoT model, which is especially striking because the person who distributed it is Vodafone and the operator confirmed months ago that it had sold more than 250,000 units in Spain. The document and its conclusions are worrying.

Vulnerabilities everywhere. In his analysis Miranda explains that although the analysis only focuses on this device, “the security problems found in the communications part seem to be common to all devices.” Specifically, the errors found by this expert for that part were the following:

• Sending data in plain text– The beacon transmits exact GPS coordinates, IMEI and network parameters without any encryption. Anyone who intercepts the signal can read them.
• Lack of authentication and integrity: There are no mechanisms to verify that the server is legitimate or to ensure that the message has not been modified along the way.
• Susceptibility to false stations– It is possible to spoof a cell tower to intercept traffic, block alerts from being sent, or inject false data.
• Private APN Exposure– Although this beacons a private Vodafone network, the connection commands and keys are exposed on the debug port, making the network accessible to an attacker.

The V16 Help Flash IoT beacon is a real trick. Image: Luis Miranda Acebedo.

OTA updates, another disaster. The problems are not only limited to that part of the V16 beacon’s communication with the APN and the servers of each provider, but are also present in the OTA (Over-The-Air) update system:

• Insecure update: Simply press the power button for 8 seconds to activate a maintenance Wi-Fi network. The name (SSID) of the Wi-Fi and its password are identical (HF-UpdateAP-5JvqFV), they are “harcoded” in the firmware. Not only that: Miranda tested two different units and those credentials coincided, which leads him to think that they are the same in the 250,000 devices sold by Vodafone.
• unsecure HTTP: To download the new firmware, the HTTP protocol is used without further ado, not the secure version (HTTPS), allowing an attacker to intercept and modify the file in transit.
• No digital signature: The device does not verify the authenticity of the firmware, and accepts any file sent to it, allowing the installation of malicious software.
• DNS Spoofing– By not using DNSSEC it is trivial to trick the device into connecting to a fake server controlled by a cybercriminal.
• Open debug port: The port is also physically accessible without a password, allowing you to view all the logs and extract sensitive information from the hardware.

Hacking a beacon is easy and cheap. The researcher explained that it is possible to buy a device that simulates a telephone antenna (500-1,000 euros). Using a Rasperry Pi 4 or a laptop, free software can be used to “intercept and manipulate the “secure” communications of these beacons.” After running a proof of concept, he managed to hack a beacon in 60 seconds and install malicious firmware that allowed him to have full control of the beacon. With this firmware it could send false locations, access the operator’s private APN, generate massive false alarms or turn the beacon into a brick.

What Netun says. The company that manufactures these beacons, Netun Solutions, has sent out a press release to try to clarify these risks.

• Exposed data: The signature indicates that the beacon transmits geolocation, a device identifier and some technical parameters. They admit that this data can be exposed, but they emphasize that there is no transmission of personal data such as license plates or user IDs. Logical: they are not associated with the beacons.
• Plain text: Netun officials explain that the decision to send plain text was made to “guarantee long-term interoperability and robustness.”

• Private APN: It is also noted that the beacons connect through a private APN and a VPN from the operator, but Miranda explained how the connection parameters are exposed on the serial port. Physical access and removing the eSIM are enough for an attacker to connect to that private network. Netum in turn points out that physical access means that “the impact is limited to that specific unit.”
• OTA problems: Regarding the OTA functionality that also shows a vulnerability, Netun states that this function has been disabled through firmware updates.
• Improbable mass attacksFinally, those responsible point out that massive attacks could only be carried out by compromising a large number of beacons. They also explain that the Netun platform “limits the number of frames that each SIM can send” and the frequency of sending.

What Vodafone says. At Xataka we have contacted Vodafone, and one of their spokespersons tells us the following:

“The V16 beacons approved and marketed by Vodafone Spain constitute an adequate system that complies with current regulations for road emergency signaling. In particular, Help Flash IoT is certified in accordance with the regulations required by the General Directorate of Traffic (DGT) for connected V16 beacons, meeting the necessary technical requirements in terms of visibility (sufficient light intensity), resistance, flash reliability, signal duration, etc. These requirements also include the data communication protocols of the beacon with the servers.

The V16 beacons have internal security mechanisms and the Vodafone network provides an additional layer of security with controls that ensure that communication is made from the beacon authorized by the network. On the other hand, the beacons integrate NB-IoT connectivity, which guarantees that the beacon is only used for location in an emergency by authorized entities with the user’s knowledge. The communication that passes through Vodafone does so at all times through a private network, which guarantees the protection of the information emitted by the beacon.

“Vodafone considers that the V16 beacons it sells are a safe, appropriate and responsible tool for signaling road emergencies.”

For now, no comments from the DGT. At Xataka we have also contacted the DGT to try to further clarify these possible problems. At the moment we have not received a response, but we will update this information if we get new information.

In Xataka | FACUA believes that a lot of V16 beacons “approved by the DGT” are not legal. And there’s a way to sum it up: fraud.