A vulnerability affecting nearly every Kia model sold in North America since 2014 allowed hackers to remotely control vehicles using nothing more than the license plate number.
They survived the “Kia Boys.” But even today, millions of Kia vehicles remain far from safe. According to a new report from cybersecurity researchers, a glaring vulnerability in the brand’s connected car system allowed anyone with basic information — such as a license plate number — to remotely unlock, start, and potentially steal a car. The flaw, now supposedly patched, once gave hackers full control of the vehicle in just seconds.
Digital convenience at the cost of security
It’s not unusual for modern cars to offer remote digital services — from starting the engine with a smartphone to locating the vehicle on a map. But this digital leap forward has a dark side. Each new feature introduces another entry point for attackers, especially when systems aren’t properly secured.
That’s what Sam Curry and Neiko Rivera — ethical hackers hired to find these vulnerabilities — discovered. By exploiting Kia’s user portal, the duo managed to impersonate legitimate car owners. The most alarming part? The attack worked even when drivers had opted out of the connected services.
The hack, explained
The vulnerability stemmed from Kia’s mobile integration system, which enables owners to issue remote commands to their vehicle. By simulating these commands, Curry and Rivera could effectively trick the system into thinking their device was the owner’s.
Once in, they could unlock the doors, flash the lights, start the engine, and more — all without setting foot near the vehicle. According to their findings, the only immediate way to prevent this kind of access was to remove the car’s SIM card or deactivate its internal modem. A radical move that underlines a deeper issue: how fragile these systems can be when not properly protected.
Kia’s response: too little, too late?
Kia acknowledged the issue after being alerted by the researchers and claimed to have resolved the vulnerability. But concerns remain. The company has not confirmed how many vehicles were affected or whether the flaw had been exploited before the discovery. What is clear is this: virtually all Kia models sold in North America since 2014 could have been exposed.
The problem doesn’t end with Kia. Other carmakers have faced similar breaches, exposing a systemic issue across the auto industry — one that demands urgent attention.
More than just a technical issue
The implications are disturbing. With only a license plate number, a bad actor could track a vehicle, control it remotely, or harass the owner. As Curry put it, “If we hadn’t brought this to Kia’s attention, anyone who knew a person’s license plate could have easily harassed them nonstop.”
In a worst-case scenario, this could be used to stalk individuals or orchestrate targeted attacks — all through digital backdoors.
Rethinking the value of being “connected”
This incident reopens a broader debate: how much privacy are we trading for digital convenience? Many connected vehicles today don’t just respond to commands — they also collect and transmit data. In some U.S. states, this data has already been used by insurers to adjust driver premiums.
In a world where cars are now effectively rolling computers, consumers have every right to demand transparency, accountability, and robust security. Until then, the message is clear: if your car is smart, your safety should be smarter.