theft stealing kia cars after vulenarabilities into keys

KIA vehicles in Ecuador, particularly models from 2022 to 2025 such as the Soluto, Río, and Picanto, are facing a significant security vulnerability identified as CVE-2025-6029. This issue arises from KIA Ecuador's reliance on learning code technology instead of the more secure rolling code systems that have been standard in the industry since the mid-1990s.

Understanding the Vulnerability
KIA vehicles manufactured in 2022 and early 2023 utilize the HS2240 chip, while those from 2024 and 2025 are equipped with the EV1527 chip. Both chips employ learning codes, which create multiple attack vectors that criminals can exploit to gain unauthorized access to vehicles.

Demonstrated Attack Methods
Research conducted by security expert Erazo, presented at notable conferences such as DEFCON32 in Las Vegas and Ekoparty 2024 in Buenos Aires, highlights several alarming attack methods. The learning code system allows attackers to execute brute force attacks against approximately one million possible fixed codes. The likelihood of success increases as vehicles can store up to four learning codes simultaneously.

A car owner is shouting, and a thief just stole the car and is showing the key to the owner. A car owner is shouting, and a thief just stole the car and is showing the key to the owner.

More concerning is the ability of criminals to capture radio frequency signals from legitimate key fobs and replay them to unlock vehicles, as the codes remain static and do not change with each use. Additionally, attackers can install backdoor codes on vehicle receivers, effectively programming their own keys to work with targeted vehicles.

To illustrate these vulnerabilities, Erazo developed AutoRFKiller, a Python-based tool that utilizes GNURadio modules and HackRF software-defined radio devices. This tool can unlock any vehicle using learning code key fobs and also targets rolling code systems.

Broader Implications
The implications of this vulnerability extend beyond individual vehicle theft. The research indicates a significant collision problem, where one vehicle’s key fob could potentially unlock another vehicle or even a garage door due to the same learning code technology. This risk is heightened by the limited range of possible combinations and the widespread use of similar chips across various manufacturers and applications.

Despite reporting the vulnerability to KIA Ecuador in May 2024, no remediation efforts have been initiated. The case is now being managed with assistance from the Automotive Security Research Group (ASRG), a non-profit organization dedicated to addressing vehicle vulnerabilities globally.

theft stealing kia cars after vulenarabilities into keystheft stealing kia cars after vulenarabilities into keys

A Regional Concern
The researcher warns that this issue likely extends beyond Ecuador, suggesting that other Latin American countries may also be using similar vulnerable key fob systems. This points to a broader regional problem where locally assembled vehicles may not undergo sufficient security analysis of their components.

Recommendations for Consumers
Security experts advise consumers to demand rolling code technology in their vehicle key fobs and consider replacing learning code systems with more secure alternatives. The continued use of outdated fixed code technology in 2024 and 2025 model years poses an unacceptable security risk, leaving vehicle owners vulnerable to theft.