Full Report
A security flaw has been identified in the keyless entry systems (KES) used extensively in KIA vehicles across Ecuador, exposing thousands of cars to a severe risk of theft. This vulnerability, officially catalogued as CVE-2025-6029, centers around outdated technology in aftermarket key fobs homologated and distributed by KIA Ecuador. The affected models include the Kia Soluto, Rio, and Picanto from 2022 through 2025. The Nature of the KIA Vulnerability (CVE-2025-6029) The Keyless Entry Vulnerability was discovered by Danilo Erazo, an independent hardware security researcher, ethical hacker, and founder of Reverse Everything. Erazo has been studying vehicle security extensively, particularly focusing on the hardware and radio frequency (RF) protocols behind key fobs used in Latin America. His research highlights a critical flaw in the KES installed on many KIA vehicles in Ecuador: the continued use of “learning code” technology, rather than more secure rolling codes. Most modern vehicles globally employ rolling code technology, which changes the access code every time the key fob is used, drastically reducing the risk of replay attacks or key cloning. Rolling codes became widespread in vehicle security systems in the mid-1990s and have been standard in Latin America since the early 2000s. In contrast, the vulnerable KIA key fobs use fixed learning codes—static codes that remain the same every time the key fob transmits a signal. What Are Learning Codes? Learning codes are programmable fixed codes stored both in the vehicle’s receiver and in the key fob transmitter. Unlike fixed codes that are permanently hardwired, learning codes can be reprogrammed. Each vehicle typically supports up to four learning codes, allowing multiple keys to be programmed to the same car. However, these codes do not change dynamically with each use, leaving them open to exploitation via replay or cloning attacks. An attacker can capture the radio frequency signal transmitted by the key fob using specialized antennas or Software Defined Radio (SDR) devices, then replay this exact signal to unlock the vehicle—hence the vulnerability’s name, the Keyless Entry Vulnerability. The HS2240 and EV1527 Chips KIA Ecuador key fobs from 2022 and early 2023 utilize the HS2240 chip, while models from 2024 and 2025 employ the EV1527 chip. Both chips rely on the same insecure learning code technology. These chips have approximately 1 million possible fixed code combinations, but with brute force methods, hackers can systematically attempt all codes to gain unauthorized access. In addition to replay and brute force attacks, the system allows “backdoor” vulnerabilities. Since the vehicle receiver accepts up to four learning codes, malicious actors can potentially add their own fixed codes, granting permanent unauthorized access without the owner’s knowledge. This backdoor could be introduced anywhere along the production or supply chain before the vehicle reaches the customer. The vulnerability affects thousands of KIA vehicles across Ecuador, with confirmed cases involving Kia Soluto, Rio, and Picanto models from 2022 to 2025. Theft incidents in public and private parking lots have been linked to this weakness. Although this issue has been publicly disclosed in Ecuador, it is believed that other Latin American countries also use similarly vulnerable KES in vehicles. This security gap is exacerbated by the fact that KIA Ecuador not only installs these key fobs but also officially homologates and distributes them. Interestingly, these vulnerable key fobs are even available for purchase on the KIA Ecuador website, despite not being original equipment manufacturer (OEM) parts. Conclusion Danilo Erazo’s research on CVE-2025-6029 revealed how KIA vehicles in Ecuador with learning code-based keyless entry systems (KES) are vulnerable to replay attacks, brute forcing, and backdoor access. Danilo Erazo and other experts stress the urgent need to replace these outdated learning code fobs with rolling code technology and call on manufacturers to phase out vulnerable KES. The vulnerability also poses a global risk due to overlapping fixed code ranges.
Analysis Summary
# Vulnerability: KIA Keyless Entry System Fixed Code Vulnerability
## CVE Details
- CVE ID: CVE-2025-6029
- CVSS Score: *Score unavailable* (Severity: *Severity unavailable*)
- CWE: *CWE unavailable* (Likely related to authentication/access control issues)
## Affected Systems
- Products: KIA vehicles equipped with learning code-based Keyless Entry Systems (KES).
- Versions: Vehicle model years 2022 to 2025.
- Configurations: Specifically impacts KIA Soluto, Rio, and Picanto models in Ecuador that use fixed learning code key fobs distributed or homologated by KIA Ecuador. The issue is prevalent in regions using similarly vulnerable KES technology, potentially including other Latin American countries.
## Vulnerability Description
The vulnerability affects the Keyless Entry System (KES) which relies on fixed learning codes for authorization. Attackers can exploit this system using three primary methods:
1. **Replay Attacks:** Capturing and replaying valid key fob signals.
2. **Brute Force Attacks:** Systematically guessing the fixed codes.
3. **Backdoor Access:** Because the vehicle receiver accepts up to four learning codes, an attacker can potentially add a malicious, permanent fixed code to the system without the owner's knowledge. This compromise could be introduced during production or via the supply chain. The vulnerability is exacerbated by the fact that vulnerable key fobs are being officially distributed and sold in Ecuador, even as non-OEM parts through the official website.
## Exploitation
- Status: Theft incidents linked to this weakness have been reported, suggesting active exploitation potential or successful exploitation in the wild in the affected region.
- Complexity: Medium (Requires proximity and potentially equipment for replay/brute force, but the "backdoor" addition is trivial once the system accepts the code).
- Attack Vector: Adjacent (Physical proximity to the vehicle).
## Impact
- Confidentiality: Low (Limited to vehicle access data).
- Integrity: High (Unauthorized modification of the vehicle's security system by adding permanent access codes).
- Availability: Medium (Vehicle theft leading to loss of availability).
## Remediation
### Patches
- *Specific patches from KIA for this hardware/firmware flaw were not detailed in the extraction, but research suggests replacement is necessary.* The general recommendation is to replace outdated learning code fobs with **rolling code technology**.
### Workarounds
- Users in affected regions (primarily Ecuador) should seek to replace the vulnerable key fobs/KES units with systems utilizing rolling code technology.
- Manufacturers should phase out vulnerable KES systems that rely on fixed, learnable codes.
## Detection
- Indicators of Compromise: Unauthorized vehicle entry or theft incidents traced back to the use of older key fobs for models listed.
- Detection methods and tools: Difficult to detect remotely. Physical inspection or analysis of the key fob technology to confirm if it uses fixed vs. rolling code technology.
## References
- Vendor Advisories: *None specified regarding CVE-2025-6029 in the provided text, though reports link to researcher Danilo Erazo.*
- Relevant links:
- Research Article: hxxps://thecyberexpress.com/keyless-entry-vulnerability-cve-2025-6029/