Vulnerabilities in a website dedicated to Kia vehicle owners could have allowed attackers to remotely control millions of cars, security researcher Sam Curry says.

The issues, the researcher explains, could have allowed attackers to gain control of key vehicle functions in roughly 30 seconds, using only the car’s license plate.

Furthermore, the bugs allowed the attackers to harvest the victim’s personal information, such as name, address, email address, and phone number, and to create a second user on the vehicle, without the owner’s knowledge.

Curry and three other researchers discovered that the Kia owners’ site could execute internet-to-vehicle commands and that it relied on backend reverse-proxy to redirect commands to an API responsible for command execution.

The researchers also discovered that Kia’s dealer infrastructure had a similar mechanism that proxied requests related to vehicle lookup, account lookup, vehicle enrollment, and other dealership functionality.

After registering on the Kia dealer website – a link to it is sent via email to new users for registration purposes – using the same request used when registering to the owners’ portal, the researchers could generate an access token that allowed them to call the backend dealer APIs.

“The HTTP response contained the vehicle owner’s name, phone number, and email address. We were able to authenticate into the dealer portal using our normal app credentials and the modified channel header. This meant that we could likely hit all other dealer endpoints,” Curry explains.

The newly acquired access allowed the researchers to retrieve the personal information of a user, then replace the user’s email address and add themselves as the primary account holders, which then allowed them to send arbitrary commands to the vehicle.

“From the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified. An attacker could resolve someone’s license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk,” Curry explains.

The issues were reported to Kia in June 2024. The carmaker acknowledged the flaws and started working on a fix that was implemented in mid-August.

In the meantime, the researchers built a proof-of-concept (PoC) dashboard that would allow an attacker to type in a license plate, retrieve the owner’s personal information, and start executing commands on the vehicle.

According to Curry, the vulnerabilities could be exploited to send commands to “pretty much any Kia vehicle made after 2013”.

Related: Ban Sought for Chinese, Russian Software and Hardware Used in Autonomous Vehicles on US Roads

Related: Second Pwn2Own Automotive Contest Offers Over $1 Million in Prizes

Related: EFF Issues New Warning After Discovery of Automated License Plate Reader Vulnerabilities

Related: New Vehicle Hack Exposes Users’ Private Data Via Bluetooth