Imagine this: a stranger can control your car just by knowing your license plate number. Sci-fi? Not anymore, thanks to some vulnerabilities found in Kia vehicles.
How It All Started
On June 11, 2024, a team of ethical hackers uncovered serious security flaws in Kia’s system. These flaws allowed remote control of critical functions using nothing more than a car’s license plate. No high-tech gear required – just 30 seconds and a browser.
What Could Hackers Do?
Once inside, hackers didn’t just play with the car’s controls – they gained access to personal data, including:
- Name, phone number, email, physical address
- Vehicle controls: Unlocking/locking doors, starting/stopping the engine, honking the horn, flashing the lights, and even tracking real-time location.
And if that wasn’t enough, attackers could quietly add themselves as “invisible users,” keeping the door open to hijack the car whenever they pleased.
How Did They Do It?
Kia’s website and mobile app, Kia Connect, are designed to let owners remotely interact with their vehicles. Unfortunately, a flaw in Kia’s authentication system allowed hackers to get in. Here’s a simplified version of their hack process:
- Access the Dealer Portal: Hackers generated a token by authenticating on the dealer portal, bypassing security measures.
- Extract Personal Info: Using the license plate, they accessed the owner’s personal information.
- Modify Access Rights: They altered the vehicle’s access permissions, gaining control.
- Take Command: At this point, they could send commands to the car as if they were the rightful owner.
Impacted Vehicles
From 2020 Tellurides to 2025 Carnivals and nearly every Kia model in between, it was Big Brother on wheels! Some models even allowed remote camera activation.
The Silver Lining
Thankfully, Kia has since patched these vulnerabilities, and the exploit software used by the hackers was never released publicly. So, while the idea of remote carjacking through a license plate sounds terrifying, for now, our Kias are safe.