This post is also available in:
עברית (Hebrew)
Security researchers have uncovered a series of vulnerabilities affecting Kia vehicles manufactured after 2013, potentially allowing hackers to gain unauthorized access to sensitive personal information and control vehicle functions remotely. This alarming discovery, led by hacker Sam Curry and his team, highlights significant security gaps that could compromise the safety of millions of Kia owners.
In 2022, the researchers demonstrated that key functions of Kia vehicles—such as locking, unlocking, starting, and stopping—can be accessed simply through the vehicle’s license plate number. This remote control capability raises serious concerns, as malicious actors could execute attacks within just 30 seconds, irrespective of whether the vehicle owner has an active Kia subscription.
Once compromised, hackers could not only steal the vehicle but also access personal data including names, phone numbers, email addresses, and physical addresses. Moreover, they could establish themselves as another user on the victim’s vehicle without detection, exacerbating the risks associated with these vulnerabilities.
The research team developed a tool called KIAtool to illustrate the extent of the threat. A YouTube demonstration shows just how simple it is for an attacker to exploit the vulnerability. By entering a vehicle’s license plate into the application, the attacker can issue commands that unlock the car within moments. The tool allows complete remote control, including functions like geolocation, remote locking, and starting.
Curry detailed the specific models and years affected, with varying levels of vulnerability. For instance, the 2024 Sorento LX was found to be particularly susceptible, allowing hackers to execute all five major commands remotely.
According to Wired and Cybernews, these vulnerabilities could leave millions of Kia vehicles exposed to hacking and tracking. Fortunately, Kia has since addressed the issue, and the KIAtool has not been released publicly.
This incident serves as a stark reminder of the importance of cybersecurity in the automotive industry, where digital vulnerabilities can lead to significant personal and financial risks for vehicle owners.
