Security researcher Danilo Erazo has uncovered two critical vulnerabilities (CVE-2025-6029 and CVE-2025-6030) in KIA Ecuador’s aftermarket keyless entry systems (KES), enabling attackers to clone key fobs and unlock vehicles via replay attacks.
Affected models include the Kia Soluto, Rio, and Picanto (2022–2025), which use insecure learning code technology despite global adoption of rolling codes since the 1990s.
Technical Breakdown of Learning Code Flaws
KIA Ecuador’s key fobs use HS2240 (2022–2023) and EV1527 (2024–2025) chips, which generate static 24-bit learning codes instead of dynamic rolling codes.
These codes occupy a finite 1-million-combination space, creating three primary risks:
- Replay Attacks: Capturing and retransmitting a single RF signal unlocks the car.
- Brute Force Exploits: Attackers can test all 1 million possible codes in under 10 minutes using tools like AutoRFKiller.
- Backdoor Injection: Receivers accept up to four codes, allowing attackers to program unauthorized “ghost” keys.
Erazo demonstrated these exploits using a HackRF SDR and custom Python scripts to intercept 315/433 MHz signals, decode fixed codes via GNU Radio, and replay them.
Global Implications and Collision Risks
The vulnerabilities extend beyond Ecuador.
Learning code chips, such as EV1527, are used globally in vehicles, garage doors, and IoT devices, creating a collision risk where one key fob could unlock multiple systems.
With thousands of KIA Ecuador vehicles already on the roads and new vulnerable units sold daily, the 1-million-code pool is nearing saturation.
| Risk Factor | CVE-2025-6029 | CVE-2025-6030 |
|---|---|---|
| CVSS 3.1 Score | 9.4 | 9.4 |
| Attack Vector | Replay/Brute Force | Backdoor Injection |
| Affected Models | Kia Soluto, Rio, Picanto (2022–2025) | Kia Homologated Aftermarket KES |
| Mitigation | Replace with rolling code fobs | Disable learning code slots |
Industry Response and Remediation Challenges
KIA Ecuador has not addressed the flaws since their disclosure in May 2024, prompting the Automotive Security Research Group (ASRG) to intervene.
Dealerships compound the issue by tying warranties to insecure fobs, leaving owners vulnerable. Erazo urges:
- Consumers: Demand rolling code fobs and RF-blocking pouches.
- Regulators: Mandate cybersecurity audits for homologated automotive components.
The lack of remediation highlights systemic gaps in Latin America’s automotive cybersecurity infrastructure, emphasizing the need for global standards to phase out learning codes.
This research underscores the urgent need to retire outdated learning code systems in favor of modern cryptographic solutions.
With automotive thefts rising in Ecuador and beyond, manufacturers must prioritize security over cost-cutting before hackers exploit these flaws at scale.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Affected models include the Kia Soluto, Rio, and Picanto (2022–2025), which use insecure learning code technology despite global adoption of rolling codes since the 1990s.){kind=link}