A group of security researchers discovered critical flaws in Kia's dealer portal that could let hackers locate and steal millions of Kia cars made after 2013 using just the targeted vehicle's license plate.
Almost two years ago, in 2022, some of the hackers in this group, including security researcher and bug bounty hunter Sam Curry, found other critical vulnerabilities
impacting over a dozen car companies that would've allowed criminals to remotely locate, disable starters, unlock, and start over 15 million vehicles made by Ferrari, BMW, Rolls Royce, Porsche, and other carmakers.
Today,
Curry revealed that the Kia web portal vulnerabilities discovered on June 11th, 2024, could be exploited to control any Kia vehicle equipped with remote hardware in under 30 seconds, "regardless of whether it had an active Kia Connect subscription."
The flaws also exposed car owners' sensitive personal information, including their name, phone number, email address, and physical address, and could have enabled attackers to add themselves as a second user on the targeted vehicles without the owners' knowledge.
