A team of security researchers discovered a vulnerability that allows for Kia cars to be remotely compromised with nothing more than a license plate number.
Kia owners can rest easy, however, since the vulnerability was privately reported to the automaker and was fixed before being disclosed to the public. There were no known exploits of the flaw in the wild.
Sam Curry led a team of white hat hackers who uncovered vulnerabilities in the Kia owners web portal and its associated mobile app that could allow a threat actor to track a vehicle, unlock doors, start the engine, honk the horn, flash headlights, and remotely view onboard cameras.
“We built a tool to demonstrate the impact of these vulnerabilities where an attacker could simply (1) enter the license plate of a Kia vehicle, then (2) execute commands on the vehicle after around 30 seconds,” Curry explained.
The flaws were present in model years from 2014-2025. The range of vulnerability depended on the model and options.
According to Curry, the vulnerabilities were down to errors in the way the website and mobile app handled command inputs. Specifically, the researchers found that the owners' website allows HTML inputs that let unauthorized users create dealership identities that can then be used to create access tokens.
Using those tokens, an attacker could then get into the Kia dealer portal and pull up information on owners, including email, phone number, and vehicle identification number. That data can then be used within the dealer portal to modify the end-user’s ownership status and make the attacker the primary owner of the car.
This would seem like an arbitrary attack — after all, how would the attacker know which specific cars to target amongst a sea of vehicles? The catch is that a car’s VIN number is required to be tied to its license plate number.
If the attacker — armed with a dealership account — had a license plate number, they could look up the associated VIN. Once they had the VIN, they could look up the specific account, change the ownership status to their email address, and take over control.
From there, it was simply a matter of pulling up the app, logging in with the new account details, and sending commands to the car.
While in this case the specific flaw was reported and remediated before any of the bad guys found out, Curry said we probably have not seen the last of these sort of issues with smart cars.
“Cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to takeover your Facebook account, car manufacturers could do the same for your vehicle,” he said.
