How Hackers Controlled Kia Cars with Just a License Plate

The Kiatool exploit

Cybersecurity researcher Sam Curry and his team uncovered a serious vulnerability in Kia’s KDealer platform, which dealerships use to manage new cars. Through this system, attackers could impersonate a dealership and gain remote control over Kia vehicles by exploiting a Kia API flaw.

The attack used a car’s license plate to obtain its VIN (vehicle identification number). Once the VIN was obtained, the attackers could generate an access token to send commands to the vehicle, such as unlocking doors, starting the engine, and tracking its location—all within 30 seconds. This method worked on nearly all Kia vehicles produced since 2013.

In addition to controlling vehicle functions, the exploit exposed sensitive personal data, including the owner’s name, email, phone number, and home address. Hackers could track a car’s location, disable security features, and even use the vehicle’s cameras without detection.

The most alarming aspect of the hack was that attackers could add themselves as invisible users to the car's system, gaining long-term access without the owner's knowledge. This could lead to serious privacy breaches, theft, or other crimes, all without triggering any alerts.

How it affects you

While Kia has since fixed the issue, the implications of this vulnerability extend beyond just Kia owners. Connected cars, which rely on internet-based systems to communicate with apps and other services, are increasingly becoming cyberattack targets. As more vehicles adopt smart technology, the potential for hacks like this grows exponentially.

If you own a vehicle with connected features, here are some steps you can take to protect yourself:

• Keep your vehicle software updated: Manufacturers often release updates addressing security vulnerabilities. Make sure your car’s firmware and any related apps are always updated
• Enable notifications for remote access: Many car apps allow you to receive alerts when certain actions are performed, such as unlocking doors or starting the engine. Activating these notifications can help you detect any suspicious activity
• Be cautious about sharing your license plate: With a simple license plate number, hackers could potentially access your vehicle. Avoid publicly sharing photos of your car with visible plates, especially on social media

The future of automotive security

This vulnerability highlights the growing risks of internet-connected cars. While convenience features like remote start and app-based control are appealing, they come with security risks many drivers may not be prepared for. 

To their credit, Kia acted swiftly to patch the flaw and has stated that there is no evidence of the exploit being used maliciously in the wild. However, the incident underscores a broader issue: as cars become more reliant on internet-based services, manufacturers must implement stronger defenses against hackers.

Vehicle owners should stay vigilant, regularly update their car’s software, and secure their connected devices to mitigate the risks of future cyberattacks. The rise of smart cars brings incredible convenience and a new frontier for hackers—one that could impact their vehicle and their privacy.