In another security headache for Kia, researchers discovered a vulnerability in the automaker’s systems that allowed them to gain remote access to any vehicle using its license plate number. Kia uses a dealer website to activate newly purchased vehicles and manage connected car features. Using registration links they got from Kia buyers, the researchers—led by bug bounty hunter Sam Curry—poked around the site’s code and figured out how to switch the email assigned to a given Kia to their email.They created a mobile interface to demonstrate how an attacker could type in any license plate, and then “remotely lock/unlock, start/stop, honk, and locate the vehicle.” The hack also exposed the driver’s name, phone number, email address, and physical address, which “would allow the attacker to add themselves as an invisible second user on the victim’s vehicle without their knowledge,” Curry wrote in a detailed blog post.
“These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription,” Curry says.In their testing, the hack worked on almost all vehicles made after 2013 up to the 2025 model year. The list includes the Carnival, Sportage, K5, Seltos, Soul, Sorento, EV6, EV9, Forte, K5, Niro, Telluride, Stinger, Rio, Sedona, Optima, and more.Curry and his fellow researchers—Neiko Rivera, Justin Rhinehart, and Ian Carroll—notified Kia of the bug in June, and the carmaker fixed it. “The Kia team has validated this was never exploited maliciously,” Curry says.
Recommended by Our Editors
Still, Curry cautions that “cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to takeover your Facebook account, car manufacturers could do the same for your vehicle.”Last year, Kia and its parent company, Hyundai, had to distribute anti-theft software to address a flaw in certain cars that allowed them to be started without the keys using only a screwdriver and USB cable. That hack went viral after a group of thieves known as the “Kia boys” demonstrated the flaw via TikTok videos, which spurred others to try to hijack Kia and Hyundai vehicles.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
About Emily Dreibelbis
Senior Reporter
I’m the expert at PCMag for all things electric vehicles and AI. I’ve written hundreds of articles on these topics, including product reviews, daily news, CEO interviews, and deeply reported features. I also cover other topics within the tech industry, keeping a pulse on what technologies are coming down the pipe that could shape how we live and work.
Read Emily’s full bio
Read the latest from Emily Dreibelbis