On June 11th, 2024, a set of vulnerabilities in Kia vehicles was discovered that allowed remote control using only a license plate, regardless of active Kia Connect subscriptions. Personal information of victims, including their name, phone number, email, and physical address, could be silently acquired. An attacker could add themselves as a second user on the victim’s vehicle without their knowledge. The team built a tool to illustrate the impact of these vulnerabilities, allowing an attacker to execute commands on a Kia vehicle remotely. While these vulnerabilities have been resolved, and the tool was not released, the Kia team confirmed no malicious exploitation occurred.
https://samcurry.net/hacking-kia