Critical Vulnerabilities in KIA Infotainment Let Attackers Inject Code with PNG Files

A recent security analysis has uncovered critical vulnerabilities in the infotainment systems of KIA vehicles, raising alarm across the automotive cybersecurity community.

These flaws allow attackers to inject and execute malicious code through specially crafted PNG image files, potentially compromising vehicle safety and user privacy.

Security researchers, during an in-depth examination of KIA’s head unit and its underlying Real-Time Operating System (RTOS), found that the infotainment firmware failed to properly validate certain image file formats—most notably PNG files.

By exploiting this weakness, attackers could embed executable payloads inside images that, when processed by the infotainment system, triggered remote code execution.

Technical Exploitation

The attack leverages a buffer overflow vulnerability in the image parsing library used by KIA’s infotainment system.

When a malicious PNG file is loaded—either via USB, Bluetooth, or over-the-air update—the system’s parser mishandles the image data, allowing the attacker’s code to overwrite critical memory regions.

Attack Chain

• Initial Access: The attacker delivers a malicious PNG file to the vehicle (e.g., via a USB drive or compromised update).
• Payload Execution: The infotainment system parses the image, triggering the buffer overflow.
• Privilege Escalation: The injected code runs with system-level privileges, allowing full control over the head unit.
• Potential Impact: Attackers can manipulate vehicle settings, access personal data, or pivot to other vehicle networks such as the CAN bus.

The vulnerability has been tracked as CVE-2020-8539, which specifically describes a command injection flaw in KIA’s head unit software.

This CVE details how attackers can exploit the system to execute unauthorized commands, manipulate vehicle functionalities, and potentially generate malicious CAN frames on the vehicle’s internal network.

This flaw is particularly dangerous because infotainment systems are increasingly integrated with critical vehicle controls. A successful exploit could allow:

• Remote unlocking or starting of the vehicle
• Access to user credentials and personal data
• Manipulation of navigation and multimedia functions
• Potential lateral movement to safety-critical ECUs

Mitigation and Response

KIA has released firmware updates to address this vulnerability. Users are strongly advised to:

• Apply all available software updates promptly
• Avoid loading media from untrusted sources
• Monitor official advisories for further guidance

The discovery of this PNG-based attack vector underscores the urgent need for robust security in automotive software.

As vehicles become more connected, vulnerabilities in infotainment systems can have far-reaching consequences for both privacy and safety

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.