A vulnerability in a piece of software could have allowed hackers to discover, unlock, and start any Kia vehicle built after 2013, experts have warned.

The news was broken by cybersecurity researcher and bug bounty hunter Sam Curry, previously known for finding similar flaws in 15 million Ferraris, BMWs, Porches, and other vehicles.

Curry found a way to grab tokens from the Kia website, which gave him access to a lot of things. After registering an account on the Kia dealership site and logging in, the site gave Curry a token that allowed him access to backend dealer APIs. There, with nothing more than license plate numbers, he is able to find the location of any Kia car built after 2013, unlock it, honk, start, or stop it completely.

Exposing private data

Furthermore, the token gives him access to plenty of sensitive customer information: full names, phone numbers, email addresses, and postal addresses. Curry was also able to add himself as a second user on any of the vehicles, without the first user knowing.

"The HTTP response contained the vehicle owner's name, phone number, and email address. We were able to authenticate into the dealer portal using our normal app credentials and the modified channel header," Curry said.

Soon after reporting his findings to the company, Kia patched the hole up: "These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously," Curry concluded.

Ever since software was introduced in personal cars, privacy became a major pain point. Most car makers, including Toyota, or Mercedes, have had data-related incidents in the past.

Via BleepingComputer

More from TechRadar Pro