Kia Patches Security Flaws Enabling Hackers to Remotely Access Cars

Why Trust Techopedia
Key Takeaways

  • Security researchers found vulnerabilities in the Kia online connectivity portal that could have given hackers access to the car.
  • By exploiting the flaw, hackers could have accessed all Kia cars manufactured after 2013.
  • Kia has fixed the vulnerabilities as of August 14th.

A set of significant vulnerabilities has been fixed in Kia cars, which would have allowed hackers to remotely control Kia cars made after 2013. 

A group of cybersecurity researchers, including bug bounty hunter Sam Curry, discovered the flaws. These vulnerabilities allowed hackers to gain remote access to any Kia car equipped with hardware in less than a minute simply by using its license plate.

Shockingly, the remote access was possible even without an active Kia Connect subscription, and the vulnerabilities also exposed the car owner’s personal information. This included the owner’s name, contact details, and physical address. With this level of access, hackers could have surreptitiously added themselves as a second car user, all without the original owner’s knowledge.

The security researchers developed a tool to demonstrate how these vulnerabilities could be exploited. According to the tool, hackers must enter the Kia vehicle’s license plate and press Enter to initiate the process. Within 30 seconds, hackers could gain control of the car, allowing them to remotely lock or unlock it, start or stop the engine, track the vehicle’s location, and even sound the horn.

How Was Kia Exploit Possible?

Sam Curry and Neiko Rivera, two researchers involved in uncovering the vulnerabilities, told Wired that the exploit was possible due to a loophole in Kia’s online connectivity portal. Kia owners use this portal to pair their smartphones with their cars and access features such as honking the horn, unlocking doors, and starting the engine.

Hackers could have tricked Kia’s system into assigning them remote access to the vehicle. Once they gained access, they would control all the car’s features, just like the owner using their smartphone. The most concerning aspect of this flaw is that hackers could have maintained access even if the car owner had turned off connected services for privacy reasons. The only way to stop the remote access would have been to remove the vehicle’s SIM card or manually disconnect its components.

As of August 14th, 2024, Kia has addressed these flaws, but the company continues investigating for any other potential issues.