Security Researchers Discovered Critical Vulnerabilities in Kia's Dealer Portal, which could have allowed attackers to remotely control millions of Kia vehicles manufactured after 2013. These flaws were detected in June 2024 and affected any car with remote hardware, even if you were not subscribed to the Kia Connect service. Just by knowing the vehicle's license plate, Attackers could locate, block, unblock, Start or stop the car, and access sensitive owner information, as a name, Address and phone number.
Attackers were able to register an account on the Kia dealer portal, generate a valid access token and, using the dealership's internal APIs, gain control over the vehicle without the owner's knowledge. In addition, could be added as secondary users of the vehicle, which allowed them to execute remote commands without the owner receiving any notification. Access to the owner's account could also be modified, which further exposed personal data.
Fortunately, These issues were fixed and the tool the researchers created to demonstrate the vulnerability was never released publicly. Kia confirmed that the vulnerabilities were not exploited maliciously and thanked the researchers for their collaboration in detecting these flaws.
Fountain: Bleeping Computer