Kia has found and fixed a leak on its website. Researchers could enter license plates there and thus have the opportunity to take over, switch on and track cars remotely.

A group of researchers discovered a leak in June this year while checking Kia’s website. Customers can register their car via a web portal to activate or deactivate online functions themselves (or through the car dealers). This web portal contained a leak. The researchers managed to make an API call, an option normally only available to traders.

How dangerous was the leak for drivers?

When entering the vehicle identification number, the researchers were shown various user data via the API. With this information, researchers were able to identify themselves as the primary account holder. This meant they had all the options available to them that customers and dealers also have. They were able to remotely unlock and lock the vehicle and determine its location. Switching the motor and camera on and off was also no problem. According to Wired, this was possible on every KIA car produced after 2013.

To simplify the process, the researchers developed a tool that allowed them to automatically look up the identification number from an entered license plate. This way, commands could be sent directly. When Kia was informed of the leak in June, it was immediately fixed. According to the automaker, the leak would never have been exploited by malicious hackers.

Kia was allowed to put out a fire in the USA last year. Last summer, cars were regularly stolen by “The Kia Boys” in the American city of Columbus. The engine could be started via a USB-A port under the steering wheel. The YouTube video has already been viewed more than six million times. Instead of reselling the cars illegally, the teenagers only used them for joyrides.