A critical vulnerability in Kia vehicles allowed hackers to control cars remotely using only license plates. The flaw has been patched, but it highlights the growing threat of cyberattacks on connected cars.
A severe security vulnerability has been discovered in Kia vehicles, allowing hackers to remotely control key functions using only a license plate. Security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll uncovered a set of vulnerabilities that could have been exploited to gain unauthorized access to Kia vehicles by exploiting the Kia dealership infrastructure,
The attack involved attackers remotely registering for a fake account and generating access tokens. These tokens would then be used in conjunction with another HTTP request to a dealer APIGW (API Gateway) endpoint and the vehicle’s VIN (vehicle identification number) to obtain the owner’s name, phone number, and email address, potentially adding themselves as an “invisible” second user on the car without the owner’s knowledge.
Researchers discovered that a victim’s vehicle could be accessed by executing four HTTP requests and internet-to-vehicle commands. These commands include generating a dealer token, fetching the victim’s email and phone number, modifying the owner’s previous access using a leaked email address and VIN, and adding an attacker as the primary owner of the vehicle. The victim would not receive any notification about modifications to their access permissions. Here’s a quick explanation of which functionalities are vulnerable:
- Remote Lock/Unlock: They could lock or unlock the doors.
- Geolocate Vehicle: Hackers could pinpoint the car’s location.
- Remote Start/Stop: They could start or turn off the engine remotely.
- Remote Horn/Light: They could activate the car’s horn and lights.
- Remote Camera: In some cases, they could even access the car’s cameras.
A hypothetical attack scenario could allow a bad actor to enter a Kia vehicle’s license plate, retrieve the victim’s information, and execute commands after 30 seconds. The vulnerability allows hackers to remotely start or stop the engine, potentially stealing the vehicle, causing damage, or endangering occupants. It impacted a wide range of Kia vehicles, including models manufactured after 2013. This means that a significant number of cars were potentially at risk.
Kia addressed these issues in August 2024 following a responsible disclosure in July 2024. While no evidence of exploitation in the wild exists, researchers warn that car manufacturers could introduce similar vulnerabilities to Meta, allowing someone to take over a vehicle’s information. As cars become increasingly connected, manufacturers must prioritize security measures to protect their customers from potential threats.
This is not the first time a team involving ethical hackers like Sam Curry has compromised the security of internet-connected cars for good. In December 2022, hackers used application vulnerabilities to hack Honda and Nissa vehicles just by knowing their VIN.
Experts Comments:
Commenting on this, Akhil Mittal, senior security consulting manager at the Synopsys Software Integrity Group, said, “This Kia vulnerability isn’t just a technical flaw—it’s a red flag for the entire automotive industry. It shows how modern cars have become prime targets for cybercriminals, shifting from physical theft to digital exploitation. The idea that a hacker could unlock, track, or even start your car using just a license plate number sounds like science fiction, but it’s happening today.”
Akhil further explained that “Kia’s quick patch is encouraging, but it raises a bigger question: Is the auto industry ready for these high-tech threats? This wasn’t just about controlling a car—it exposed personal data, too. In a few simple steps, a hacker could access sensitive information, change ownership, and take control of the vehicle without the owner’s knowledge. With nearly all Kia models made after 2013 affected, it’s clear that modern cars are now connected devices and vulnerable to the same cybersecurity risks as our phones and computers.”
“Automakers must take cybersecurity as seriously as crash safety. Cars aren’t just machines anymore—they are smart devices loaded with data that needs protection. Regular software updates, stronger encryption, and better communication with drivers are critical. If the industry doesn’t act soon, these risks could become problems for everyday drivers,” he warned.
