Kia just can’t catch a break when it comes to vehicle security. After the widely publicized issues with USB-based car thefts last year, the automaker now finds itself in the spotlight again—this time for remote hacking vulnerabilities that could have allowed attackers to take control of millions of vehicles. For the automotive enthusiast community, this raises serious concerns about how automakers are managing the security of increasingly connected vehicles.

Another Round of Vulnerabilities

Last year, Kia owners were plagued by a series of car thefts where bad actors exploited a design flaw, using USB devices to start and steal vehicles. Now, security researchers have uncovered a fresh set of vulnerabilities—this time in Kia’s online systems—that could have put an even larger number of cars at risk. Unlike the USB exploit, which required physical access to the vehicle, this latest flaw allowed attackers to remotely control key functions of the car from anywhere, using just the vehicle’s license plate number.

Sam Curry, a cybersecurity researcher, along with his team, discovered these vulnerabilities in Kia’s owners’ portal. This site connects Kia owners to their cars and allows them to perform various tasks like locking and unlocking doors or starting the engine. Unfortunately, the researchers found that hackers could exploit the website to hijack these functions without the owner ever knowing.

Kia’s Connected Systems Under Siege

It’s no secret that cars have become much more than mechanical machines. Today, vehicles are fully connected to the internet, allowing for remote updates, diagnostics, and even the ability to control certain features via mobile apps. While this adds convenience, it also opens the door to significant security risks, as this case with Kia shows.

Curry’s team found that by exploiting the Kia owners’ portal, a hacker could gain control over a vehicle’s features in as little as 30 seconds. Even more concerning, the flaws exposed the personal information of the vehicle owner, such as their name, address, phone number, and email. Once inside the system, the attacker could also add themselves as a second user to the vehicle without the owner’s knowledge, giving them full access to control the car.

For the enthusiast crowd who loves pushing the boundaries of technology and performance, the idea of a hacker being able to control your ride remotely is terrifying. The vulnerability didn’t just affect one or two models—it impacted nearly every Kia built after 2013. From locking and unlocking doors to starting the engine or honking the horn, a hacker could perform these actions with minimal effort, all through Kia’s own system.

The Technical Breakdown

The flaw lay in how Kia’s system handled internet-to-vehicle commands. The Kia owners’ portal used a backend reverse-proxy system to execute commands, and this is where things went wrong. Once the researchers gained access, they found they could trick the system into executing commands on behalf of a hacker.

But it wasn’t just the owners’ portal that was vulnerable. Kia’s dealership infrastructure had similar issues, allowing hackers to manipulate systems related to vehicle lookup, enrollment, and more. By using requests similar to those in the owners’ portal, hackers could generate access tokens, which allowed them to call dealer APIs and gain access to a vehicle owner’s sensitive information. With a little know-how, they could manipulate the data and assign themselves as primary users of a car.

Kia’s Ongoing Battle with Security

Kia has been in the hot seat recently, particularly with the car thefts enabled by the USB exploit, a vulnerability that affected thousands of cars in the United States. These incidents gave the automaker a reputation for poor security, and this latest hacking revelation only adds to that perception. For the automotive enthusiast community, it’s frustrating to see a brand struggle to secure its vehicles, especially when technology is such an integral part of modern car ownership.

Kia isn’t alone in facing these kinds of issues, but the fact that they’ve been hit with back-to-back security problems highlights the growing need for automakers to invest in more robust cybersecurity measures. As vehicles become more connected and reliant on software, the risks of hacking are only going to increase.

Kia’s Response and the Road Ahead

To their credit, Kia acted quickly after the vulnerabilities were reported in June 2024. By mid-August, they had implemented a fix that patched the flaw. However, for many, the damage to Kia’s reputation was already done. The idea that someone could take control of their car remotely, combined with the ease of last year’s USB hack, has left many Kia owners feeling uneasy about the brand’s commitment to security.

For the automotive industry at large, this should serve as a wake-up call. We’re living in a time when vehicles are becoming just as much about software as they are about horsepower. Automakers need to prioritize cybersecurity just as much as they do performance and reliability. For enthusiasts, a well-built machine means little if it can be controlled by a hacker thousands of miles away.

The vulnerabilities discovered by Sam Curry and his team may have been patched, but they serve as a reminder that connected cars are not just machines—they are also potential targets. As cars continue to evolve, security has to be at the forefront of innovation. Let’s hope Kia—and the entire industry—learns from this incident to keep our rides safe in the digital age.