Cybersecurity researchers have uncovered a significant vulnerability in Kia vehicles that allowed hackers to remotely control key functions using nothing more than a car’s license plate.
This breach, discovered on June 11, 2024, exposed the potential for unauthorized access to personal information and vehicle control, raising serious concerns about automotive cybersecurity.
The Discovery
According to the Samcurry reports, the vulnerability was identified by a group of ethical hackers who had previously investigated security flaws in various car manufacturers.
Their latest findings revealed that attackers could execute remote commands on Kia vehicles equipped with specific hardware in as little as 30 seconds.
This breach did not require an active Kia Connect subscription, making it accessible to many vehicles.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
How the Hack Works
The attack method involved entering a Kia vehicle’s license plate into a specially designed tool.
The tool then allowed the hacker to execute commands such as locking or unlocking doors, starting or stopping the engine, and even accessing the vehicle’s camera system.
The tool also enabled attackers to silently gather personal information, including the owner’s name, phone number, email address, and physical address.
HTTP Request to Unlock Car Door on the “owners.kia.com” website
POST /apps/services/owners/apigwServlet.html HTTP/2
Host: owners.kia.com
Httpmethod: GET
Apiurl: /door/unlock
Servicetype: postLoginCustomer
Cookie: JSESSIONID=SESSION_TOKEN;Vehicles Affected
The breach affected several models across different years. Notable among them were the 2025 Carnival EX, SX, LX, and Hybrid versions, as well as the 2025 K5 and Sportage models.
The vulnerability allowed for remote lock/unlock and start/stop across these models.
The implications of this vulnerability were profound. An attacker could effectively take control of a vehicle without the owner’s knowledge or consent.
The ability to track vehicles and issue commands remotely posed significant risks to privacy and safety.
Response from Kia
Upon discovering the vulnerability, the researchers promptly reported it to Kia. The company has since implemented fixes to address the security flaws.
Kia confirmed that there was no evidence of malicious exploitation of these vulnerabilities before they were patched.
This incident underscores the importance of ethical hacking in identifying and mitigating potential security threats.
The researchers involved in this discovery have previously worked on uncovering vulnerabilities in other car manufacturers, contributing significantly to automotive cybersecurity.
As vehicles become increasingly connected and reliant on digital systems, ensuring robust cybersecurity measures is paramount.
Manufacturers must prioritize security in their design processes and remain vigilant against emerging threats.
The revelation of this vulnerability serves as a stark reminder of the potential risks associated with connected vehicles.
While Kia has taken steps to rectify the issue, ongoing vigilance and proactive security measures are essential to protect consumers from similar threats in the future.
Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free