Cybersecurity researchers have uncovered a major vulnerability in Kia autos that allowed hackers to remotely management key features utilizing nothing greater than a automotive’s license plate.
This breach, found on June 11, 2024, uncovered the potential for unauthorized entry to non-public data and automobile management, elevating severe issues about automotive cybersecurity.
The Discovery
In response to the Samcurry studies, the vulnerability was recognized by a gaggle of moral hackers who had beforehand investigated safety flaws in varied automotive producers.
Their newest findings revealed that attackers might execute distant instructions on Kia autos outfitted with particular {hardware} in as little as 30 seconds.
This breach didn’t require an energetic Kia Join subscription, making it accessible to many autos.
Free Webinar on Tips on how to Shield Small Companies In opposition to Superior Cyberthreats -> Free Registration
How the Hack Works
The assault methodology concerned getting into a Kia automobile’s license plate right into a specifically designed software.
The software then allowed the hacker to execute instructions akin to locking or unlocking doorways, beginning or stopping the engine, and even accessing the automobile’s digital camera system.
The software additionally enabled attackers to silently collect private data, together with the proprietor’s identify, cellphone quantity, e-mail handle, and bodily handle.
HTTP Request to Unlock Automotive Door on the “homeowners.kia.com” web site
POST /apps/companies/homeowners/apigwServlet.html HTTP/2
Host: homeowners.kia.com
Httpmethod: GET
Apiurl: /door/unlock
Servicetype: postLoginCustomer
Cookie: JSESSIONID=SESSION_TOKEN;Autos Affected
The breach affected a number of fashions throughout completely different years. Notable amongst them have been the 2025 Carnival EX, SX, LX, and Hybrid variations, in addition to the 2025 K5 and Sportage fashions.
The vulnerability allowed for distant lock/unlock and begin/cease throughout these fashions.
The implications of this vulnerability have been profound. An attacker might successfully take management of a automobile with out the proprietor’s data or consent.
The power to monitor autos and subject instructions remotely posed vital dangers to privateness and security.
Response from Kia
Upon discovering the vulnerability, the researchers promptly reported it to Kia. The corporate has since applied fixes to handle the safety flaws.
Kia confirmed that there was no proof of malicious exploitation of those vulnerabilities earlier than they have been patched.
This incident underscores the significance of moral hacking in figuring out and mitigating potential safety threats.
The researchers concerned on this discovery have beforehand labored on uncovering vulnerabilities in different automotive producers, contributing considerably to automotive cybersecurity.
As autos turn out to be more and more related and reliant on digital methods, making certain sturdy cybersecurity measures is paramount.
Producers should prioritize safety of their design processes and stay vigilant in opposition to rising threats.
The revelation of this vulnerability serves as a stark reminder of the potential dangers related to related autos.
Whereas Kia has taken steps to rectify the difficulty, ongoing vigilance and proactive safety measures are important to guard shoppers from related threats sooner or later.
Analyse AnySuspicious Hyperlinks Utilizing ANY.RUN's New Secure Shopping Device: Attempt It for Free