• Researchers have discovered a vulnerability that could have enabled attackers to gain access to millions of Kia vehicles within 30 seconds.
  • The team created a tool, which could be used to remotely lock/unlock vehicles, start and stop them, as well as locate them.
  • The group informed Kia about the issue and the vulnerability has been addressed.

The Kia Boyz apparently did things the hard way as security researchers recently discovered millions of vehicles built after 2013 could be taken over with their license plate. That’s a shocking discovery as the ‘key’ is effectively mounted on the rear bumper.

The vulnerability was discovered in June by a group of researchers that included Sam Curry, Ian Carroll, Neiko Rivera, and Justin Rhinehart. It enabled bad actors to take control of vehicles in about 30 seconds and the vulnerability also exposed customer information including their name, phone number, email address, and home address.

More: Keyless Entry Car Thefts Soar As Hackers Don’t Need Skills, Just Cheap Devices

While the attack and its explanation are rather technical, Curry explained on his website that they were able to register and be authenticated as a dealer, which provided them access to the Kia dealer portal. From there, they learned how to access customer information and become the “primary account holders” of target vehicles. This was done, in part, by changing the e-mail address connected to the vehicle to an account controlled by the attackers. Malwarebytes also noted they needed VINs, so they used a “third-party API to convert the license plate number to a VIN.”

That’s the CliffNotes version, but the bottom line is that bad actors could create a tool to remotely lock/unlock vehicles, start and stop them, as well as locate them. That’s pretty much everything you could ask for.

The list of impacted vehicles is long and appears to include virtually every single Kia. Among them are the Seltos, Soul, Sorento, Sportage, Stinger, and Telluride. The Forte, Niro, K5, EV6, and EV9 were also vulnerable to the attack.

Thankfully, the vulnerability was discovered by ethical hackers and they reached out to Kia in early June. Kia responded and began investigating, and they eventually addressed the vulnerability in August. After the team conducted tests to ensure the issue was indeed fixed, they decided to make their findings public. They added their tool was never released and Kia determined the vulnerability was never exploited maliciously.