A set of significant vulnerabilities has been fixed in Kia cars, which would have allowed hackers to remotely control Kia cars made after 2013.
A group of cybersecurity researchers, including bug bounty hunter Sam Curry, discovered the flaws. These vulnerabilities allowed hackers to gain remote access to any Kia car equipped with hardware in less than a minute simply by using its license plate.
Shockingly, the remote access was possible even without an active Kia Connect subscription, and the vulnerabilities also exposed the car owner’s personal information. This included the owner’s name, contact details, and physical address. With this level of access, hackers could have surreptitiously added themselves as a second car user, all without the original owner’s knowledge.
New writeup from @_specters_ and I: we're finally allowed to disclose a vulnerability reported to Kia which would've allowed an attacker to remotely control almost all vehicles made after 2013 using only the license plate.
Full disclosure:https://t.co/e2EwvUMgqw pic.twitter.com/yMk4ihliFT
— Sam Curry (@samwcyo) September 26, 2024
The security researchers developed a tool to demonstrate how these vulnerabilities could be exploited. According to the tool, hackers must enter the Kia vehicle’s license plate and press Enter to initiate the process. Within 30 seconds, hackers could gain control of the car, allowing them to remotely lock or unlock it, start or stop the engine, track the vehicle’s location, and even sound the horn.
How Was Kia Exploit Possible?
Sam Curry and Neiko Rivera, two researchers involved in uncovering the vulnerabilities, told Wired that the exploit was possible due to a loophole in Kia’s online connectivity portal. Kia owners use this portal to pair their smartphones with their cars and access features such as honking the horn, unlocking doors, and starting the engine.
Hackers could have tricked Kia’s system into assigning them remote access to the vehicle. Once they gained access, they would control all the car’s features, just like the owner using their smartphone. The most concerning aspect of this flaw is that hackers could have maintained access even if the car owner had turned off connected services for privacy reasons. The only way to stop the remote access would have been to remove the vehicle’s SIM card or manually disconnect its components.
As of August 14th, 2024, Kia has addressed these flaws, but the company continues investigating for any other potential issues.