A series of critical vulnerabilities in KIA’s infotainment systems that allow attackers to inject malicious code through seemingly harmless PNG image files, potentially compromising thousands of vehicles worldwide.
The research, presented at Hardwear.io USA on May 30, 2025, revealed that KIA’s infotainment systems run on a previously unknown proprietary Real-Time Operating System (RTOS) called iRTOS.
Erazo discovered that this system, found in models including the KIA Soluto/Pegas and KIA Picanto, contains six major security vulnerabilities that create multiple pathways for potential exploitation.
The most significant vulnerability lies in the system’s bootloader, which uses only a single–byte CRC checksum for integrity verification.
This weak protection mechanism allows attackers to modify firmware components without detection, essentially making the entire system “backdoorizable,” as Erazo demonstrated in his research.
Through hardware hacking techniques including UART access and firmware dumping, Erazo successfully extracted and analyzed the complete system firmware, revealing the underlying security weaknesses.
KIA Infotainment Systems
The research exposed critical Bluetooth security vulnerabilities that make vehicles vulnerable to unauthorized access. The system enforces Legacy Pairing instead of more secure Secure Simple Pairing (SSP), using a hardcoded 4-digit PIN that defaults to “0000”.
The infotainment units, supplied by MOTREX and featuring a TMM9200 System-on-Chip, store their firmware on a 16MB SPI Flash memory chip Connections + CAN Analysis.
This PIN is stored in plain text within UART logs, making it easily discoverable by attackers who gain physical or firmware access.
Erazo successfully demonstrated a man-in-the-middle attack against the Bluetooth system, intercepting and reconstructing sensitive data including phone contacts, call history, and audio communications.
The attack exploited the system’s use of outdated encryption methods and weak key management, allowing complete access to paired device information.
Additionally, the researcher discovered two private cryptographic keys embedded within the firmware, which could enable attackers to impersonate the infotainment system, decrypt communications, or sign malicious updates.
The researcher developed a proof-of-concept tool called “hack-iRTOS” that allows attackers to replace legitimate images within the firmware with malicious alternatives.
PNG File Injection
The most innovative aspect of Erazo’s research involves exploiting PNG image handling to create sophisticated attack vectors.
The attack works by maintaining the same file size and offset as original images while injecting malicious content.
According to Report, Erazo demonstrated this by replacing a legitimate QR code that normally redirects to KIA’s manual webpage with a malicious QR code pointing to an attacker-controlled site.
The system’s inadequate integrity verification means that these modified images pass all security checks, allowing the malicious firmware to be installed through standard USB update procedures.
This creates a pathway for widespread distribution of infected firmware through seemingly legitimate update channels.
The vulnerabilities are compounded by the system’s use of outdated libraries, including Matrixssl 3.7.1 and Libpng 1.2.29, both of which contain known security vulnerabilities.
Currently, no official security updates are available for affected KIA models, leaving thousands of vehicles potentially vulnerable to these sophisticated attack methods.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
