Kia vulnerabilities could allow bad actors to steal your car


Security researchers have found a set of vulnerabilities that could allow bad actors to hack into Kia vehicles made after 2013 and steal the owner's personal information.

In 2022, a group of researchers, including hacker Sam Curry, discovered that key functions of Kia vehicles, such as unlocking, locking, starting, and stopping, can be accessed using the car's license plate.

These functions can be controlled remotely allowing bad actors to hack into Kia vehicles and effectively steal them.

ADVERTISEMENT

"These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia subscription,” Curry said.

Alongside stealing the vehicle, hackers could access the owner’s personal information.

This includes:

  • Names
  • Phone numbers
  • Email addresses
  • Physical addresses

Furthermore, bad actors could make themselves an “invisible second user on the victim’s vehicle without their knowledge.”

The group created a tool to show how devastating these vulnerabilities can be. After 30 seconds, a hacker could easily enter your vehicle’s license plate and unlock, start, or execute other commands.

A YouTube video uploaded to Curry’s channel shows just how easy it is to hack into a Kia vehicle. However, the researchers specified that this only affects certain vehicles made after 2013.

The video shows someone using the KIAtool developed by the researchers. The individual enters the license plate number into the application and executes a command to exploit the vehicle.

ADVERTISEMENT

After a little while, the person can take control of the car by pressing a command. The tool allows the user to unlock the vehicle, and within about half a minute, the Kia was opened.

Curry’s write-up included the years and models of vehicles impacted by these vulnerabilities, which range from the 2014 Sportage SX to the 2025 Carnival EX.

However, these defects affect each model differently, as not all commands can be executed.

For example, the 2024 Sorento LX is vulnerable to attacks as five out of five commands can be executed remotely. These include geolocate vehicle, remote lock and unlock, remote start and stop, remote horn and light, and remote camera. This is all possible due to vulnerabilities in Kia’s web portal.

According to Wired, this could leave millions of vehicles open to being hacked and tracked by bad actors.

Since then, the issue has been fixed and the KIAtool created by the researchers was never released.