Application security, Data Security, Privacy

Researchers hacked Kia cars armed with only license plate numbers

Share
KIA Motors logo sign on car of red color

A team of security researchers discovered a vulnerability that allows for Kia cars to be remotely compromised with nothing more than a license plate number.

Kia owners can rest easy, however, since the vulnerability was privately reported to the automaker and was fixed before being disclosed to the public. There were no known exploits of the flaw in the wild.

Sam Curry led a team of white hat hackers who uncovered vulnerabilities in the Kia owners web portal and its associated mobile app that could allow a threat actor to track a vehicle, unlock doors, start the engine, honk the horn, flash headlights, and remotely view onboard cameras.

“We built a tool to demonstrate the impact of these vulnerabilities where an attacker could simply (1) enter the license plate of a Kia vehicle, then (2) execute commands on the vehicle after around 30 seconds,” Curry explained.

The flaws were present in model years from 2014-2025. The range of vulnerability depended on the model and options.

According to Curry, the vulnerabilities were down to errors in the way the website and mobile app handled command inputs. Specifically, the researchers found that the owners' website allows HTML inputs that let unauthorized users create dealership identities that can then be used to create access tokens.

Using those tokens, an attacker could then get into the Kia dealer portal and pull up information on owners, including email, phone number, and vehicle identification number. That data can then be used within the dealer portal to modify the end-user’s ownership status and make the attacker the primary owner of the car.

This would seem like an arbitrary attack — after all, how would the attacker know which specific cars to target amongst a sea of vehicles? The catch is that a car’s VIN number is required to be tied to its license plate number.

If the attacker — armed with a dealership account — had a license plate number, they could look up the associated VIN. Once they had the VIN, they could look up the specific account, change the ownership status to their email address, and take over control.

From there, it was simply a matter of pulling up the app, logging in with the new account details, and sending commands to the car.

While in this case the specific flaw was reported and remediated before any of the bad guys found out, Curry said we probably have not seen the last of these sort of issues with smart cars.

“Cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to takeover your Facebook account, car manufacturers could do the same for your vehicle,” he said.

Researchers hacked Kia cars armed with only license plate numbers

A team of security researchers discovered a vulnerability that allows for Kia cars to be remotely compromised with nothing more than a license plate number.

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.