Skip to content

Kia web portal flaw lets hackers remotely track and hack your car

  • by
  • 2 min read

A small group of security researchers has discovered a set of critical flaws in Kia’s dealer portal that allow an attacker to remotely track, unlock, and steal millions of Kia cars made after 2013. All the attacker needs is the vehicle’s license plate to carry out the attack, making millions of Kia vehicles on the road vulnerable.

Bounty hunter Sam Curry and his security researchers discovered the vulnerabilities on June 11. The attack takes less than 30 seconds to take effect and works regardless of whether the vehicle has a Kia Connect subscription.

To make matters worse, the same vulnerabilities also expose the car owners’ personal information, including name, phone number, email address, and physical address, while allowing attackers to add themselves as a second user on targeted vehicles. All without the owner getting a hint.

The researchers created an account on Kia’s dealership port to gain access. Once authenticated, they got hold of an access token letting them into the backend dealer API and providing access to important information like the vehicle owner’s information and, more importantly, remote access to the target car. Overall, access to the backend dealer API provides these four avenues of access:

  1. Ability to generate a valid access token and retrieve it from the HTTP response
  2. Access to the target car owner’s name and phone number
  3. Ability to change the owner’s access permissions
  4. Add a rogue email to the target vehicle, allowing remote access.
YouTube video

They also developed a tool that let them enter a vehicle’s license plate and remotely unlock or lock the car, start and stop the engine, geolocate it, and even use the horn—all in under 30 seconds. Curry’s explainer of the vulnerabilities includes a video of the app’s functioning.

Thankfully, Curry claims that the vulnerabilities have since been fixed, and the Kia team has validated that the vulnerabilities were never exploited maliciously. The tool researchers used to demonstrate the hack was also not released to the public. Curry also discovered a similar vulnerability in 2022 where select Honda car models had a “replay attack” vulnerability that allows an attacker to unlock said cars and even remotely start the engine from a short distance.

In the News: WazirX granted 4-month conditional moratorium by Singapore court

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of facebook featured

Meta plans to introduce full passkey support for Facebook on mobile

This is an image of cloudflare featured office san fran 1

Cloudflare blocks record-breaking DDoS attack

This is an image of cyber security hacked breach

UBS employee data leaked following Chain IQ data breach

This is an image of duckduckgo 3909sdi9903

DuckDuckGo’s browser is expanding its scam defence

This is an image of scam call featured 1

Netflix, Microsoft, and Bank of America websites hijacked by scammers

Photo by jivacore/shutterstock. Com

Novel Linux flaw lets attackers get root access

>