A team of security researchers found this problem in June. Sam Curry, Ian Carroll, Neiko Rivera, and Justin Rhinehart discovered they could take over Kia vehicles in about 30 seconds.
The hack worked on many popular Kia models. The Seltos, Soul, Sorento, Sportage, Stinger, Telluride, Forte, Niro, K5, EV6, and EV9 were all at risk.
Curry said on his website that they registered and were approved as a dealer, which gave them access to the Kia dealer portal. They learned how to access customer information and become the "primary account holders" of target vehicles. They changed the email address connected to the vehicle to an account controlled by the attackers. They also used a "third-party API to convert the license plate number to a VIN."
With control of the car, hackers could do several things. They could lock or unlock the vehicle remotely. They could start and stop the engine. They could even find out where the car was.
The team told Kia about the problem in early June. Kia fixed it in August. The researchers checked to make sure the fix worked before telling anyone else.
Kia said no one used this hack to do anything bad. The research team never released their hacking tool to the public.
Source: Samcurry