A group of security researchers recently revealed that they had found a critical flaw in the web portal operated by the South Korean carmaker Kia. The researchers revealed that just by using the car’s license plate number, attackers could easily geolocate and gain access to millions of Kia cars made after 2013. The security flaw could also let attackers gain access to the personal information of the car’s owners including their addresses. 

The group of security researchers led by Sam Curry, a bug bounty hunter, found major security vulnerabilities two years ago, which could allow attackers to locate, unlock, and start over 15 million cars made by Ferrari, BMW, Porsche, among many others. 

Curry has now revealed on his website that the security flaws that he and his group discovered months prior to the announcement, could allow hackers to control any Kia car fitted with the remote hardware, “in about 30 seconds."

A license plate is all you need

Curry detailed how attackers could gain access to the car’s Vehicle Identification Number (VIN) using just the license plate number. Attackers could theoretically register an account on Kia’s dealer portal and use it to generate a token which gave them access to the car owner’s email address and phone number. They could then modify the owner’s permissions and add themselves as a secondary user without the knowledge of the actual owner.

This meant that attackers could remotely access even those cars which did not have an active Kia Connect subscription. However, the cars need to possess the hardware to support the feature. Once the attackers added themselves as a secondary user, they could use the VIN to remotely unlock the vehicle, honk the horn, or start and stop the engine. Curry says that the security flaw would allow all of the above without sending any notification to the car owners of their vehicles being accessed or permissions being modified.

The researchers went as far as making an application that would allow them to carry out the above attack through a few taps on the screen:

The security vulnerabilities have now been resolved with Kia having confirmed to Curry that they were not exploited maliciously. The outbreak of this news, however, brings up questions of digital security and privacy as car owners and brings the South Korean carmaker back into the spotlight for lapses in security. 

It was found in 2022 that cars made by Kia and its parent company Hyundai between 2015 and 2019 lacked electronic immobilisers that would normally prevent attackers from hot-wiring cars. This meant attackers could use simple tools such as a screwdriver and a USB cable to break through the car’s security system.

In an age where more and more cars feature remote controls and digital connectivity, carmakers must ensure that their vehicle security systems are as robust as possible. Lapses in security can allow unbridled access to vast amounts of data on vehicle owners, not to mention the potential for mass thefts.

Read Also: New-gen Maruti Suzuki Dzire India launch details confirmed