CVE-2025-6029 & CVE-2025-6030: Replay Attacks Expose Vulnerabilities in KIA and Autoeastern Smart Keyless Entry Systems
Ddos 
The vulnerable key fobs are available on the KIA Ecuador website | Image: Danilo Erazo
An independent hardware security researcher Danilo Erazo has unveiled two critical-severity vulnerabilities—CVE-2025-6029 and CVE-2025-6030—affecting smart keyless entry systems (KES) from KIA Ecuador and Autoeastern. The flaws, rated CVSS 9.4, stem from the use of outdated learning code technology in key fobs, allowing attackers to unlock vehicles via replay attacks and signal cloning.
Since the mid-1990s, rolling code technology has been the global standard for securing wireless keyless systems. Rolling codes change with every use, making it virtually impossible to clone or replay a signal.
However, Erazo’s research reveals that KIA Ecuador and Autoeastern are still equipping vehicles with learning code-based key fobs, which emit a fixed signal—leaving them open to trivial interception.
“It is unacceptable that, in 2024, systems based on fixed codes are still in use, and even more concerning that such key fobs are being officially installed,” the report warns.
The study confirms that Kia Soluto, Rio, and Picanto models from 2022 to 2025 use insecure aftermarket key fobs carrying HS2240 and EV1527 chips—both vulnerable to replay attacks. These key fobs are not OEM, but homologated and distributed by KIA Ecuador, making them appear as official factory components.
“These key fobs are not an official part of KIA cars, but KIA Ecuador carries out the homologation process for them to be installed with the KIA logo on official cars assembled in Ecuador,” the report explains.
To prove the impact of these vulnerabilities, Erazo developed AutoRFKiller, a Python-based tool using GNU Radio and a HackRF SDR to perform signal capture, brute force, and rolljam attacks.
The tool works by capturing the RF signal of a key fob and then replaying it to unlock the vehicle—without detection. In some scenarios, Erazo demonstrated backdooring the receiver by injecting a new learning code, allowing permanent unauthorized access.
These vulnerabilities extend beyond Ecuador. Vehicles across Latin America and other regions have adopted similar insecure key fobs. Because learning codes share a finite 1M-code range, the risk of code collision between cars, or even garage doors and other RF-based devices, is rising.
“At some point, this 1 million combinations range will be filled, or may already be filled… just in Ecuador, there are thousands of vehicles with these key fobs,” the report highlights.
Despite reporting the issue to KIA Ecuador in May 2024, no remediation was implemented. The case is now being handled by the Automotive Security Research Group (ASRG), a nonprofit that supports global vehicle vulnerability disclosures.
“The process of reporting this vulnerability has been complex, as there is no solid automotive cybersecurity culture in Ecuador and much of Latin America,” Erazo stated.
The recommended solution is straightforward: replace all key fobs using learning codes with those using rolling code technology. However, dealership warranty policies often force users to accept the insecure version.
Related Posts:
- Ecuador may hand over the WikiLeaks founder Assange to the UK
- Signal Desktop Application Exists Code Injection Vulnerability
- Proposed US Ban on Chinese Tech Impacts Autonomous Vehicles
- VMware Tools Update Addresses Insecure File Handling Vulnerability
- Russia-Linked Threat Actors Exploiting Signal Messenger to Eavesdrop on Sensitive Communications
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
