Kia Dealer Portal Flaw Puts Millions of Cars at Risk of Remote Hacking

A team of independent security researchers have uncovered significant vulnerabilities in Kia’s dealer web portal, exposing millions of vehicles to potential hacking.

The flaw, discovered in June 2024, allowed attackers to remotely control Kia cars manufactured after 2013, using only the targeted vehicle’s license plate number.

These vehicles, equipped with remote hardware, could be tracked, unlocked, or even started in under 30 seconds, regardless of whether they had an active Kia Connect subscription.

The vulnerabilities were discovered by a group of cybersecurity experts, including Sam Curry, a well-known security researcher and bug bounty hunter.

In a blog post, Sam detailed how the team was able to access Kia's backend dealer API by registering for a dealer account on Kia's kiaconnect.kdealer.com portal.

Once authenticated, they obtained an access token that provided critical data about the vehicle owner, such as their name, phone number, email, and physical address.

This access also allowed them to remotely control the vehicle's basic functions, including locking and unlocking doors, starting and stopping the engine, honking the horn, and tracking the car's location.

In a particularly alarming demonstration, the researchers created a tool that allowed them to enter a vehicle's license plate and, within seconds, take control of these features.

"From the victim's side, there was no notification that their vehicle had been accessed or their permissions modified," said Sam Curry.

The researchers were able to perform these actions without the owner's knowledge or consent.

This is not the first time Saam Curry’s group has uncovered vulnerabilities in the automotive industry.

In 2022, the same team found flaws in over a dozen car manufacturers, including Ferrari, BMW, Porsche, and Rolls Royce, affecting over 15 million vehicles.

These flaws allowed potential attackers to locate vehicles, disable starters, and gain remote access.

These incidents highlight an ongoing issue within the automotive industry, where the increasing connectivity of vehicles is exposing them to cyber threats.

He explained that these flaws stem from how car manufacturers design and manage their digital systems, comparing the situation to social media platforms.

"Just like Meta could introduce a code change that lets someone take over your Facebook account, car manufacturers could introduce vulnerabilities that give hackers access to vehicles," he said in a statement on his blog.

How the Kia Flaw Was Exploited

The vulnerability in Kia's system revolved around its dealer portal, which offers functionalities to manage vehicles remotely.

By exploiting flaws in the portal's backend APIs, the researchers were able to gather sensitive information and remotely control a car.

For example, an attacker could enter a vehicle’s VIN (vehicle identification number) into the API and instantly track or unlock the car without the owner's knowledge.

The researchers also highlighted that the flaw could have allowed malicious actors to add themselves as secondary users on the vehicle without alerting the primary owner.

This would have enabled them to retain control over the vehicle for an extended period, further exacerbating security risks.

Potential Consequences and Real-World Testing

To validate the severity of the vulnerability, the team tested it on multiple vehicles, including rental cars and those owned by friends.

Each time, they successfully bypassed security protocols and accessed the car.

"If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car," Sam said, highlighting the dangers posed by this vulnerability.

Although the team did not release the tool to the public, they warned that if the vulnerability had gone unreported, malicious actors could have exploited it to steal or track vehicles.

In addition to the ability to control basic vehicle functions, hackers could have used the collected personal information to harass or stalk car owners.

Kia’s Response

The security researchers alerted Kia to the flaw soon after its discovery in June 2024.

According to reports, Kia has since fixed the vulnerability, though the company has been slow to respond publicly about the findings.

In a brief communication with WIRED, Kia confirmed it had resolved the issue but stated that it was still investigating the full scope of the vulnerability.

However, the company has not provided any further updates.

This latest discovery highlights a broader concern for car manufacturers and the growing risks posed by connected vehicles.

With more cars relying on internet-based features for convenience, these systems also become prime targets for hackers.

The researchers concluded that unless car manufacturers take more significant steps to secure their systems, vulnerabilities will continue to arise.

While Kia has patched the flaw, this incident serves as a wake-up call for the automotive industry.

As cars become increasingly digital and interconnected, manufacturers must prioritize cybersecurity.

The convenience of connected car features should not come at the expense of driver safety and privacy.

In the meantime, consumers may be left wondering if their cars are truly secure, or if the next digital flaw could put them at risk.