Kia’s Security Flaw Lets Hackers Seize Control Of Vehicles Using License Plates

A recent investigation has uncovered a security vulnerability in Kia’s internet-connected systems, exposing millions of vehicles to potential hacking.

Independent security researchers discovered that by having a Kia vehicle’s license plate, one could hack into the car and gain unauthorized control over key functions, such as unlocking doors, tracking location, and even starting the ignition—in just seconds.

The researchers, who previously identified similar vulnerabilities across various automakers, alerted Kia to this issue in June. Although the company implemented a fix, it appears the problem has not been fully resolved.

“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,” said Neiko Rivera, one of the researchers involved in the discovery, as reported by WIRED.

During their investigation, the researchers found a vulnerability in a web portal operated by Kia. This flaw allowed them to take control of the internet-connected features in most modern Kia vehicles.

The affected models represent millions of cars on the road. By exploiting this vulnerability, the researchers could transfer control from the vehicle owner’s smartphone to their own devices.

According to Sam Curry, another member of the research team, this flaw could enable a hacker to monitor a person’s movements.

“If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car,” Curry told WIRED.

“If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.”

The researchers tested their method on various Kia vehicles, including rentals and cars on dealer lots, confirming its effectiveness across the board.

To illustrate how easily these vulnerabilities could be exploited, the researchers created a user-friendly dashboard.

This tool allowed users to input a license plate number and retrieve the owner’s personal information, demonstrating how an attacker could take over a vehicle and exert control.

The dashboard included a form that converted the license plate number into the vehicle identification number (VIN). A “Takeover” button executed a series of steps to gain access to the vehicle.

Additionally, another button displayed the owner’s personal information. Finally, a “Garage” tab enabled the attacker to execute commands on the compromised vehicles.

WIRED highlights that the numerous vulnerabilities in car manufacturers’ websites, which enable remote control of vehicles, stem from a push to attract consumers with smartphone-enabled features.

Stefan Savage, a computer science professor at UC San Diego, emphasizes that the integration of these features heightens security risks, as noted by WIRED.