It is supposed to reduce risks, but now it is showing that it can also create risks and is sending Spain into turmoil

From 2026, these small warning lights will replace the warning triangle in Spain. However, the mandatory gadget has major security gaps. (Image source: AA+W – stock.adobe.com)

In Spain, a networked warning light called “V16” will be mandatory from January 1, 2026. It is intended to replace the classic warning triangle as a safer alternative.

Now a security researcher has analyzed one of the best-selling models and shows that the device is so insecure that it can be hacked and completely taken over in less than a minute.

That’s why this is important:

• At first glance it seems like a purely Spanish problem, but it is not exclusively so.
• The V16 light shows what poorly secured IoT devices can look like.
• What complicates matters in this case is that it is made mandatory by the local authorities and at the same time it has a direct impact on road safety and infrastructure.

Germany has been discussing better digital emergency call systems, connected vehicles and smart traffic platforms for years.

57:51

E-cars in everyday life: Do the advantages outweigh the disadvantages or are the hurdles too big?

What is the V16 anyway?

In Spain, the so-called V16 warning light completely replaces the warning triangle. The small, magnetic flashing light goes on the roof of the car and sends:

• a strong yellow flashing signal
• via mobile phone (NB-IoT) the exact GPS position to the Spanish Transport Authority (DGT)

This means that no one should have to walk across the highway to set up a triangle.

One of these lights has now been examined closely by cyber security researcher Luis Miranda Acebedo. It is the widely used Help Flash IoT model, sold through Vodafone, among others. The mobile phone provider alone states that 250,000 of them are in circulation.

The security expert took a close look at this model. (Image source Luis Miranda Acebedo / github.com)

“That’s a sieve”: Security expert reveals massive security gaps

The security researcher found a long list of serious vulnerabilities that one would expect from cheap IoT toys, not from a government-mandated security product.

1. Unencrypted location data

The V16 sends its GPS coordinates, IMEI and network parameters in plain text. Anyone who intercepts the radio signal can:

• track the location of the vehicle
• read the identity of the device
• View network data

This even applies to fake cell phone masts, which, according to Acebedo, can be simulated with freely available hardware.

2. No real check of the remote station

The device does not check whether it is actually communicating with the correct server. This allows attackers to manipulate or completely block data traffic.

3. OTA updates with catastrophic gaps

The researcher found particularly serious problems with the update system:

• A maintenance WLAN can be activated by pressing a button for 8 seconds.
• The SSID and password are identical for every device and are permanently stored in the firmware.
• Firmware is loaded over pure HTTP, not HTTPS.
• No signature check: The warning light accepts any file as “firmware”.

Anyone within range of this WiFi may be able to reprogram the device.

4. Open debug interface

Access data for the private Vodafone APN could be read out via a freely accessible debug port. This even makes it possible to access the actually isolated network in which all V16 lights are installed.

How bad is that really?

According to his own statements, the researcher was able to:

• Hack a V16 light in under 60 seconds
• Send incorrect location data
• generate mass false alarms
• render devices unusable
• “flooding” entire regions with fake accidents

All this with cheap hardware and free software. This means that not only the individual light is compromised. Theoretically, the underlying infrastructure could also be massively disrupted.

Manufacturers and Vodafone are weighing things down

The manufacturer Netun confirms some points, but classifies the risk as low (Xataka has reported). The important statements:

• Yes, location data can be disclosed, but not personal information.
• Yes, updates were unsafe, but the function has now been disabled in the firmware.
• Mass attacks are unlikely because the platform limits the number of messages that can be sent per device.

At the same time, Vodafone emphasizes that the devices are certified, run over a private NB-IoT network, additional security measures exist and the products meet all legal requirements.

The responsible transport authority DGT has not yet responded to the analysis. Since the V16 will be mandatory from 2026, an official statement is likely and urgently needed.

What does this mean in the long term? The case shows how important it is that government-mandated IoT hardware is modernly secured. Spain will not be able to recall the devices so easily, as millions of drivers will be required to have such a device from 2026.

Depending on how the authorities react, it could result in mandatory firmware updates, new security guidelines or even a ban on the registration of certain models.