Hackers Get Keys to Any Kia With Just A License Plate
Kia isn't having a great couple of years in vehicle security. From the Kia Boys making the world realize there were 5 million vehicles without immobilizers on the market to new pocket-size GameBoy-style devices, it's never been easier to be a thief targeting Korean cars.
A new proof of concept released this week—simply called Kiatool—is probably the most powerful attack against any Kia we've seen yet. And, frankly, this one is probably the scariest, too. Thankfully, it's already been patched, but I want you to hear about it anyway because it tells an extremely important story about the future of automotive cybersecurity.
Meet Sam Curry. He's one of my favorite security researchers who focuses on the automotive sector. And he has a special knack for breaking into cars. Not by brute-forcing a window with a hammer, of course, but by using some carefully crafted keystrokes to achieve the same effect. Today's victim was "pretty much any Kia vehicle made after 2013."
His latest attack takes advantage of Kia Connect. For those unfamiliar, that's the connected service that pairs a vehicle with the internet so an owner can conveniently unlock their car or turn on the heat when it's cold outside. With a bit of studying, Curry was able to figure out how to hack into virtually every single connected Kia sold in the United States over the last decade—and only took about 30 seconds.
