Hacking Kia: Remotely Controlling Cars With Just a License Plate

Introduction

On September 23, 2024, cybersecurity researcher Sammy released an alarming report detailing critical vulnerabilities in Kia vehicles that allowed attackers to remotely control key vehicle functions using only the vehicle’s license plate number. These vulnerabilities could be exploited within 30 seconds, enabling remote control of Kia vehicles' geolocation, locking, unlocking, and even starting the engine, all without the owner's knowledge or consent. The discovery highlights the dangers of connected vehicle systems and the growing risks posed by inadequate security measures in automotive technology.

Report Overview

Sammy’s research uncovered that the vulnerabilities stemmed from weaknesses in Kia’s web and mobile platforms, particularly the Kia Connect system and Kia dealer websites. Attackers could exploit these platforms to authenticate as legitimate users using a session token, bypassing the need for any physical interaction with the vehicle. By leveraging the license plate of a target vehicle, an attacker could retrieve personal data such as the owner's email address and phone number, and eventually take control of the vehicle.

The vulnerabilities were found to affect multiple models of Kia vehicles, including the 2025 Carnival, K5, and Sportage, with full access to remote control functions, such as locking, unlocking, remote start, and even tracking the vehicle’s location.

The report demonstrated the potential for large-scale exploitation, with millions of vehicles impacted worldwide. Kia has since addressed the vulnerabilities, and no malicious exploitation of this flaw has been reported.

Insights and Analysis

The vulnerability research conducted by Sammy is a stark reminder of the risks posed by connected vehicle systems, where software and remote access features introduce new avenues for exploitation. While Kia acted swiftly to patch these issues, the attack vector remains a concern for other automotive manufacturers who rely on similar infrastructure.

Sammy’s team illustrated how easy it was for an attacker to generate a session token by registering through Kia’s dealer API using simple HTTP requests. This access could then be leveraged to add the attacker as a secondary, invisible user of the vehicle. Once inside the system, the attacker had the capability to manipulate the vehicle’s functions—such as unlocking doors or starting the engine—all remotely and without the victim's awareness.

• Widespread Vulnerability: The exploit affected multiple Kia models, demonstrating how interconnected vehicle systems can introduce systemic risks.
• Undetected Attacks: Victims would receive no alert that their vehicle was accessed, allowing for silent control by attackers.
• Personal Data Risk: Attackers could harvest personal information linked to the vehicle, further enabling identity theft or physical stalking.

The vulnerabilities discovered in Kia’s systems highlight the importance of robust cybersecurity measures in connected cars. Although Kia has patched the issues, the incident serves as a warning to both consumers and manufacturers about the dangers of weak vehicle cybersecurity. It’s essential for car owners to keep their software up-to-date and for manufacturers to adopt stronger authentication protocols to prevent future attacks. This case underscores the evolving risks in automotive cybersecurity as vehicles become more reliant on internet-connected systems.

Indicators of Compromise (IOCs)

MITRE ATT&CK Mapping

References

https://www.nationalcrimeagency.gov.uk/who-we-are/publications/732-evil-corp-behind-the-screens/file