Car buyers typically have many questions when purchasing a new automobile, but few are likely to consider whether an attacker could remotely control their vehicle using just license plate information.

Yet that’s exactly what millions of Kia vehicles allowed until mid-August, when the automaker fixed a flaw that enabled such access, after independent security researchers alerted them to the issue.

Remote Control of Kia Cars & SUVs

The glitch is similar to those that the same group of researchers and others have discovered in recent years, and is sure to stoke already high concerns over the vulnerability of modern connected vehicles to cyberattacks.

In a Sept. 26 report, independent researcher Sam Curry said he discovered the Kia vulnerability when doing some follow-up research on multiple flaws he and colleagues discovered a couple of years ago in vehicles from Kia, Honda, Infiniti, Nissan, Acura, BMW, Mercedes, and others.  

At the time, the researchers showed how anyone could take advantage of the vulnerabilities to issue commands for remotely locking and unlocking vehicles, starting and shutting down the engine, and activating a vehicle’s headlight and horn. Some of the flaws allowed an adversary to remotely take over an owner’s account and lock them out of managing their own vehicle, while others enabled remote access to a vehicle’s camera, with the ability to view live images from inside the vehicle. Some of the hacks required an adversary to have little more than a vehicle identification number, and sometimes even just an owner’s email address.

An Issue With Automotive API Protocols

As with many of the previous flaws, the new issue that Curry and his fellow researchers discovered had to do with the application programming interface (API) protocols that enable Internet-to-vehicle commands on Kia automobiles.

The researchers found that it was relatively easy to register a Kia dealer account and authenticate it to the account. They could then use the generated access token to call APIs reserved for use by dealers, for things like vehicle and account lookup, owner enrollment, and several other functions.

After some poking around, the researchers found that they could use their access to the dealer APIs to enter a vehicle’s license-plate information and retrieve data that essentially allowed them to control key vehicle functions. These included functions like turning the ignition on and off, remotely locking and unlocking vehicles, activating its headlights and horn, and determining its exact geolocation.

In addition, they were able to retrieve the owner’s personally identifying information (PII) and quietly register themselves as the primary account holder. That meant they had control of functions normally available only the owner. The issues affected a range of Kia model years, from 2024 and 2025 all the way back to 2013. With the older vehicles, the researchers developed a proof-of-concept tool that showed how anyone could enter a Kia’s vehicle license plate info and in a matter of 30 seconds execute remote commands on the vehicle.

“The recent discovery underscores the intricate challenges posed by the complex API protocols — such as gRPC, MQTT, and REST — used in connected cars,” says Ivan Novikov, CEO of API security firm Wallarm. “Automakers must prioritize enhancing their cybersecurity measures by implementing stronger authentication methods and securing communication channels to protect against unauthorized access.”

Akhil Mittal, senior manager of cybersecurity strategy and solutions at Synopsys Software Integrity Group, says the new discovery highlights how the biggest vulnerabilities in connected vehicles often have to do with systems that communicate with the outside world. He points to always-connected vehicle telematics systems as one example of such a component.

“Infotainment systems are another concern, as they connect to smartphones, apps, and other services, creating more entry points for hackers into the car’s internal network,” Mittal says. “The recent Kia hack really highlights how APIs and cloud services can be weak spots; if the APIs that control critical functions aren’t secured properly, they become easy targets for attackers.”

A Troubling Pattern of Cars’ Cyber Insecurity

News of the Kia hack adds to growing concerns over connected vehicles — and not just about their security either. Earlier this year, two senior US lawmakers slammed General Motors, Honda, and Hyundai for collecting extensive data from connected vehicle about owners and their movement. The two lawmakers, Sens. Ron Wyden (D-Ore.) and Edward Markey (D-Mass.) called the data collection by the three automakers of a symptomatic industry-wide problem that highlighted the need for greater oversight and scrutiny of automaker practices.

“Automotive vendors have proven irresponsible at security again and again, and I wonder how much more we are going to see before action is taken,” says David Brumley, CEO of software security firm ForAllSecure. “Yesterday the average driver worried about [the theft of their] key fob. Today, they have to worry about whether their dealer or manufacturer has an unprotected API. Where is the [National Transportation Safety Board] on this?”

Kia Motors did not respond immediately to a Dark Reading request for comment.

Source: www.darkreading.com