Kia Dealer Portal Vulnerability Exposed Millions of Cars to Remote Control Attacks

Kia recently addressed a critical security flaw in its dealer portal that put millions of cars and their owners at risk. The vulnerability allowed attackers to access personal information and remotely control target vehicles.

Major Security Flaw in Kia Dealer Portal Patched

Security researcher Sam Curry uncovered the vulnerability, which could be exploited by an attacker using a vehicle’s license plate number. The flaw resided in Kia’s dealer portal, enabling unauthorized access to the car’s system. This breach allowed attackers to execute a variety of commands, including unlocking the car, starting or stopping the engine, and potentially facilitating theft.

Moreover, the vulnerability also exposed sensitive personal information, such as the owner’s name, contact details, and even allowed the attacker to add themselves as a second owner of the vehicle—all without the owner’s knowledge.

The issue affected the domain kiaconnect.kdealer.com, which is the Kia dealer portal for vehicle registration. Researchers discovered that by registering a dealer account on this domain, an attacker could generate access tokens to gain control of the vehicle. The same HTTP request used for registering on Kia’s owner website, owners.kia.com, could be leveraged to register on the dealer portal.

Once the attacker had access, they could exploit backend dealer APIs to retrieve sensitive information about the vehicle’s owner and manipulate the car’s enrollment. This allowed attackers to add, delete, or modify vehicle owners and send arbitrary commands to the vehicle’s system.

The researchers shared a demonstration video to show how the exploit worked. Importantly, this vulnerability impacted Kia vehicles regardless of whether they had an active Kia Connect subscription, further expanding the potential scope of the attack.

After identifying the flaw, the researchers contacted Kia in June 2024 and developed a tool to demonstrate the exploit. By August 2024, Kia confirmed that it had patched the vulnerability, which the researchers verified.