Warning from one of Spain's leading cybersecurity experts: V-16 emergency beacon is a 'car theft' risk

Zoom

Rafael López claims that the geolocation service on these devices, information that is publicly accessible, is key to the "real risks of fraud or abuse by malicious third parties"

I. Asenjo

Monday, 19 January 2026, 12:42

The V-16 emergency beacon - the new device for warning other road users of stranded vehicles on the road and mandatory since 1st January across Spain - could become a double-edged sword for drivers who have suffered a breakdown or accident on the road.

This technological advancement, designed by Spain's Directorate General of Traffic (DGT) to reduce roadside accidents for pedestrians, allows vehicles involved in accidents or breakdowns to send their exact location to the DGT 3.0 platform. However, the Guardia Civil has detected that this same GPS functionality is being exploited by organised criminal networks to carry out a new type of fraud.

The criminals, known as 'pirate tow trucks', intercept signals or monitor incidents to arrive at the scene before the official roadside assistance service contracted by the user can show up. If the incident were to occur at night and on a secondary road, the risk is even greater.

The system becomes an open door for unauthorised access

This is the warning given in our press interview with Rafael López , a cybersecurity engineer specialising in email protection at Check Point Software. He advises that the exposure of the API keys used by V-16 beacons poses a significant security risk to drivers.

These API keys are technical credentials that authenticate and authorise access to the DGT 3.0 platform, which manages the connection between the beacon and the road system. Their function is to restrict access to sensitive information, such as the real-time location of vehicles involvedin traffic incidents. However, when these credentials are not properly protected or are leaked to unauthorised persons, the system becomes an open door for unauthorised access.

Key features of the V-16 beacon

• Geolocation (DGT 3.0): automatically sends the vehicle's location to the DGT and other drivers via navigation panels or apps.

• IoT (Internet of Things) connectivity: uses technologies such as NB-IoT or LTE-M to transmit data.

• Approval: must have an alphanumeric code (for example, LCOE, IDIADA) engraved on the casing.

• 360° LED light: high-intensity amber light, visible from over one kilometre away.

• Quick activation: easy to use from inside the car, with magnetic base to attach to car roof.

• Battery life: minimum 18-month lifespan, active for at least 30 minutes

This poses a serious security problem, as it makes sensitive information - such as the location of vehicles stuck on the road - publicly accessible. In addition to violating driver privacy, it "facilitates fraud, such as dispatching unlicensed tow trucks or locating vehicles for opportunistic theft".

What exactly can an unauthorised third party see if they gain access to these keys?

This access would reveal not only the position of roadside vehicle stoppages, but also the type of incident that has immobilised them, be it a breakdown or an accident . "Although this information doesn't contain direct personal data such as name or number plate , it allows for the precise location of stopped vehicles to be known, exposing drivers to real risks of fraud or abuse by malicious third parties," explains López.

The DGT claims that its systems only transmit anonymous coordinates without linking them to a licence plate or driver identity. The problem is that, because the beacon's location is extracted with such precision, it can be exploited for other purposes other than the intended one.

"The main risk is that individuals of criminal intent - such as unlicensed towing networks or criminal gangs dedicated to the theft of impounded vehicles - could precisely locate broken-down cars," says the specialist. He also agrees with the argument made by JUCIL (an association of the Guardia Civil) that "the device is proving to be utterly ineffective and is opening dangerous doors for criminals to steal vehicles or personal belongings, taking advantage of the isolation and vulnerability of the driver, often in the middle of nowhere".

López recommends that, to avoid such scenarios, more rigorous management of API keys should be happening. "Each manufacturer or authorised party should have unique credentials, protected by strong authentication systems. Constant monitoring of access points, together with periodic audits, would make it possible to detect intrusion attempts or improper use", says López. He adds that the measures would not only guarantee the integrity of the information stored on the DGT 3.0 platform, but "would also preserve user confidence in this new road safety system".

The Guardia Civil's recommendations regarding potential scams with the V-16 beacon

Given the emergence of potential new scams, the Guardia Civil stresses the importance of remaining calm when activating the device and, once switched on, advises contact roadside assistance directly. If they arrive at the scene of the breakdown or accident, drivers should request formal identification and verify that these details match those provided by the service during the initial phone call.

Furthermore, the payment method is important when trying to determine if you are being scammed by an unlicensed tow truck company. Insurance companies will never request advance payment, as the process is handled through policy coverage. Another reason to be wary of any roadside assistance that's shown up is the insistence of the person driving the tow truck to take the vehicle to a garage without your consent.