A key vulnerability in Kia vehicles allowed hackers to remotely control cars using only license plates. The flaw has since been fixed, but it highlights the growing risk of cyberattacks on connected cars.
A serious security vulnerability has been discovered in Kia vehicles, allowing hackers to remotely control key functions using only the license plate. Security researchers Nico Rivera, Sam Curry, Justin Rinehartand Ian Carroll uncovered a set of vulnerabilities that could have been exploited to gain unauthorized access to Kia vehicles by exploiting the infrastructure of Kia dealerships;
The attack involved the attackers remotely generating registration and access tokens for a fake account. These tokens are then used with another HTTP request to a dealer APIGW (API Gateway) endpoint and the vehicle’s VIN (Vehicle Identification Number) to retrieve the owner’s name, phone number, and email address. Achievable, possibly including himself as “invisible”. Another user on the car without the owner’s knowledge.
The researchers Discovered That the victim’s vehicle can be accessed by making four HTTP requests and executing vehicle commands from the Internet. These commands include creating a dealer token, retrieving the victim’s email and phone number, modifying previous owner access using the leaked email address and VIN, and impersonating the attacker as the primary owner of the vehicle. Adding is included. The victim will not receive any notification about modification of their access permissions. Here’s a quick explanation of which functionality is vulnerable:
- Remote Lock/Unlock: They can lock or unlock the doors.
- Geolocate Vehicle: Hackers can pinpoint the location of a car.
- Remote Start/Stop: They can start or stop the engine remotely.
- Remote Horn/Light: They can activate the car’s horn and lights.
- Remote camera: In some cases, they can also access the car’s cameras.
A hypothetical attack scenario could allow a bad actor to enter the license plate of a Kia vehicle, retrieve the victim’s information and execute a command after 30 seconds. The vulnerability allows hackers to remotely start or stop the engine, potentially stealing the vehicle, causing damage, or endangering the occupants. It affected a wide range of Kia vehicles, including models manufactured after 2013. This means that a large number of cars were potentially at risk.
Kia addressed these issues in August 2024, following a responsible disclosure in July 2024. While there is no evidence of exploits in the wild, researchers have warned that car manufacturers could introduce similar vulnerabilities to the Meta, which could allow someone to capture vehicle information. As cars become increasingly connected, manufacturers must prioritize security measures to protect their customers from potential threats.
This isn’t the first time a team of ethical hackers like Sam Curry has compromised the security of internet-connected cars. In December 2022hackers used application vulnerabilities to hack into Honda and Nissan vehicles just by knowing their VIN.
Expert Comments:
Commenting on this, Akhil Mittal“This Kia vulnerability isn’t just a technical flaw – it’s a red flag for the entire automotive industry. It shows how modern cars have become prime targets for cybercriminals,” said Synopsys Software Integrity Group senior security consulting manager. are moving from physical theft to digital exploitation. The idea that a hacker can unlock, track, or even start your car using just a license plate number sounds like science fiction. It seems, but it is happening today.
Akhil further explained that “Kia’s quick patch is encouraging, but it raises a bigger question: Is the auto industry ready for these high-tech threats? It wasn’t just about controlling a car—it Also exposes personal data. In a few simple steps, a hacker can gain access to sensitive information, change ownership, and take control of a vehicle without the owner’s knowledge. Almost all made after 2013 With Kia models, it is clear that there are modern cars now. Connected devices and vulnerable from cybersecurity threats like our phones and computers.”
“Automakers must take cybersecurity as seriously as crash safety. Cars are no longer just machines—they’re smart devices loaded with data that need protection. Regular software updates, robust “Encryption, and better communication with drivers, are critical. If the industry doesn’t act soon, these risks could become problems for everyday drivers,” he warned.