SC Media reports that millions of Kia vehicles made between the 2014 and 2025 model years could have been remotely controlled by threat actors just by inputting the cars' license plate numbers in attacks exploiting vulnerabilities in the automaker's owners' web portal and related mobile app.
Such flaws, which stemmed from the website's and mobile app's command input management gaps, have been leveraged by Sam Curry and other ethical hackers to develop a tool, which could allow vehicle tracking, door unlocking, engine starts, and remote camera viewing around 30 seconds after providing the cars' plate numbers.
Attackers could also use the tool to obtain owners' information, including their phone numbers and email addresses, which could then be utilized to assert ownership of the compromised vehicle. While Kia has already resolved the security issues, which have not been actively exploited, Curry noted the potential emergence of other flaws affecting smart vehicles.
"Cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to takeover your Facebook account, car manufacturers could do the same for your vehicle," said Curry.