A team of independent cybersecurity experts has uncovered a serious vulnerability in Kia’s dealer web portal, putting millions of vehicles at risk of remote hacking. The flaw, discovered in June 2024, could allow attackers to control Kia cars manufactured after 2013 using only the vehicle’s license plate number.
The exposed vulnerability enabled hackers to remotely track, unlock, and even start vehicles in under 30 seconds, regardless of whether the car had an active Kia Connect subscription. The vehicles in question were equipped with remote hardware that made them susceptible to these attacks.
Notable security researcher and bug bounty hunter Sam Curry, along with his team of cybersecurity experts, made the discovery. In a blog post, Curry detailed how they accessed Kia’s backend dealer API by registering for a dealer account through the Kia Connect portal. Once logged in, they were able to acquire an access token that provided critical data about the vehicle’s owner, including name, phone number, email, and physical address.
The vulnerability also allowed hackers to control basic vehicle functions, such as locking and unlocking doors, starting and stopping the engine, honking the horn, and tracking the car’s location. “From the victim’s side, there was no notification that their vehicle had been accessed or their permissions modified,” Curry noted.
In an alarming demonstration, the team created a tool that allowed them to input a vehicle’s license plate number and remotely take control of its features within seconds. Each time the researchers tested the vulnerability on different vehicles, including rental cars and those owned by friends, they successfully bypassed security measures and gained access to the car.
This latest discovery follows previous reports from Curry’s team, who uncovered similar vulnerabilities in over a dozen car manufacturers in 2022, including Ferrari, BMW, Porsche, and Rolls-Royce. These flaws impacted more than 15 million vehicles and allowed attackers to disable starters, track cars, and gain remote access.
Curry explained that these vulnerabilities stem from the way car manufacturers design and manage their digital systems, drawing a comparison to social media platforms. “Just like Meta could introduce a code change that lets someone take over your Facebook account, car manufacturers could introduce vulnerabilities that give hackers access to vehicles,” Curry said.
The Kia flaw, specifically, revolved around vulnerabilities in the company’s dealer portal backend APIs. Attackers could access vehicle information by inputting the car’s VIN (Vehicle Identification Number) and manipulate its functions without the owner’s knowledge. The flaw even allowed malicious actors to add themselves as secondary users, giving them long-term control over the vehicle.
Following the discovery, the researchers promptly notified Kia of the issue. Although Kia has since fixed the vulnerability, the company has been slow to publicly address the situation. In a statement to WIRED, Kia confirmed the flaw had been patched but indicated that further investigation was ongoing. No additional updates have been provided.
As the automotive industry becomes increasingly reliant on internet-based features, the risks posed by cybersecurity vulnerabilities are growing. While Kia has addressed this issue, experts warn that unless manufacturers take substantial measures to improve the security of connected vehicles, similar threats will persist.
For consumers, this incident raises questions about the safety and privacy of their vehicles, highlighting the need for heightened vigilance in the age of connected cars.
