License plate hack lets cybercriminals unlock and track Kia vehicles in under 30 seconds

Written by

Published 1 Oct 2024

Fact checked by

NSFW AI Why trust Greenbot

We maintain a strict editorial policy dedicated to factual accuracy, relevance, and impartiality. Our content is written and edited by top industry professionals with first-hand experience. The content undergoes thorough review by experienced editors to guarantee and adherence to the highest standards of reporting and publishing.

Disclosure

black and gray mercedes benz steering wheelPhoto by 𝔑𝔦𝔩𝔰 𝔅𝔬𝔤𝔡𝔞𝔫𝔬𝔳𝔰 on Unsplash

Kia vehicles were left vulnerable to hackers who could unlock, start, and track them using just a license plate number and a smartphone, according to a recent discovery by cybersecurity expert Sam Curry and his team. While Kia has since patched the flaw, the incident exposes a troubling gap in the security of connected cars, raising concerns about how protected millions of drivers truly are from digital threats.

Almost all Kia models built since 2014 were affected, including popular ones like the Sportage, Carnival, and Seltos. The hackers demonstrated that they could access personal information like the vehicle owner’s name, phone number, and physical address, while also remotely controlling some features mentioned earlier.

“If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car,” Curry told Wired. The lack of notification for the affected drivers meant the hack was practically invisible.

The vulnerability, identified in June 2024, originated in Kia’s web portal used by dealerships, which Curry’s team exploited to gain unauthorized access. By registering a fake dealer account, the hackers managed to retrieve valid access tokens, which could be used to control any connected Kia vehicle remotely.

This hack was remarkably easy to execute. By simply entering a license plate into a custom app developed by the researchers, they could bypass the system and take control in under 30 seconds. The simplicity of the attack, requiring only the car’s license plate and a few minutes of work, shocked many in the cybersecurity community. The entire process was documented in a blog post by the team.

Luckily, Curry and his team are ethical hackers who reported the bug directly to Kia. After validating the issue, Kia worked on a patch. The bug has now apparently been fully addressed, and there have been no known malicious exploits. Curry also has no plans to publish the smartphone app.

This vulnerability highlights a larger problem plaguing the connected car industry. As vehicles increasingly rely on internet-based systems for convenient features, they also become more vulnerable to hacking.

“Cars will continue to have vulnerabilities. In the same way that Meta could introduce a code change which would allow someone to take over your Facebook account, car manufacturers could do the same for your vehicle,” he noted.

A well-known hack of a Jeep Cherokee in 2015 showed that attackers could remotely disable brakes and steering, but that involved complex processes like reverse engineering the car’s telematics unit. The ease of the Kia hack—a simple bug in a website—demonstrates just how accessible car hacking has become.