Warning: *privacy not included with this product
Kia is a South Korean car company founded in 1944 as a maker of bike parts. Today Kia -- owned in part by the other major South Korean car maker, Hyundai -- is known as one of the most reliable car brands in the world. Models include the Sportage, Soul, Sorento, Forte, Rio, and EVs the Niro and EV6. Their Kia Access app and Kia Connect connected services all owners to do remote things like lock/unlock the car, find your car, set your car's cabin temperature, send locations to your cars navigation system, check your EVs charing status, find charging stations, and even pair the app with your smartwatch. So, how is happy little Kia at privacy? Holy cow, they are terrible! That makes us anything but happy.
What could happen if something goes wrong?
Now, Kia does say that they don’t collect sensory data (like audio and visual data). Phew! That is a relief since it’s pretty common for car makers to collect the data created by vehicle features that use microphones and cameras. They also say that they do not collect biometric data (like your face and fingerprints). That’s another load off, since sharing that information comes with certain risks. But wait, “unique biometric information” is listed as an example of “Sensitive Personal Information” that they do collect. Hmm. It seems like some of Kia’s data-collecting disclosures were written to cast as wide a data-catching net as possible. That is a technique we privacy researchers really hate to see when we read privacy policies. Their policy even mentions “Personal information described in California Civil Code Section 1798.80(e)” which we learned from reviewing Honda and others car companies, means just about any personal information under the sun “capable of being associated with you.” Yikes!
Another thing about Kia’s connected services: some of them are a bit creepy. Kia’s “My Car Zone” lets you set alerts that log other drivers’ behavior in your car. Called “Curfew Alerts, Geo-Fence, & Speed Watch,” car-owners can create settings that collect information about other drivers’ habits, “such as when the Vehicle is being driven and whether the Vehicle is being driven beyond a pre-determined speed limit or boundary location.” This feature is pitched with a parent-child relationship in mind but it’s ripe for abuse by controlling partners or family members.
Keep in mind all the data collected about you is in addition to detailed information about your car and what you do in it: how fast you drive, when you pump the brakes and buckle your seatbelts. Also, your geolocation, which can include “physical location or movements.” Hm? That’s a new one. Anyway, it’s a whole lot! But Kia doesn’t stop at drivers’ car, phone, and connected services in their quest to “Learn more about [their] customers and their [customers’] experiences” (that’s another thing that Kia says they can do with your information). They also collect information about you from “affiliates,” “partners,” “service providers,” “advertising and social networks,” as well as “data analytics, data enhancement, and market research providers” -- which sounds to us like a wordier way of saying data brokers.
What does Kia do with all that info? Ugh, we’d really like to know. Aside from marketing purposes, getting to know you better, and some other purposes that actually do sound legitimate, Kia lists a couple vague ones, like “Conduct[ing] internal research” and “Support[ing] our internal business operations.” Alrighty.
Kia also uses this mountain of data to create more data about you, called “inferences.” Practically all the car makers we looked at do. Poor form, everyone! Those inferences or assumed facts about you can be created from any of the personal information Kia has on you, reflecting your “preferences, characteristics, predispositions, behavior, attitudes, or similar behavioral information.” That’s extra creepy when you consider that they know some very intimate things about you, like everywhere you go.
One other thing that Kia does seem to do with your data is sell it. Yuck! We really hate that because they collect so much data and then say they can sell it to make more money. Nearly all the car companies we reviewed did this as well, and it sucks with everyone. They also share it with a lot of the same places they collect your data from. That list includes (once again) “affiliates,” “partners,” “service providers,” “advertising and social networks,” as well as “data analytics, data enhancement, and market research providers.” Kia might also comply with “governmental requests” for your data. Ugh, that word! At Mozilla, we believe your personal information should only be shared with the government and law enforcement when there is a legal obligation to do it. And, even then, as minimally as possible. Kia, please help yourself to our verbiage and do better. Governments shouldn't simply be able to "request" people's precise location data and information about their "sex life".
So, what control do drivers have over their data and can they ask Kia to delete it? Unfortunately, unless you won the location-based privacy lottery, then probably not. Residents of strong-privacy-law states in the US (California, Colorado, Connecticut, Virginia and Utah) have the special right to request that their data be deleted. People living in Europe under GDPR have the right to delete their data too. But call us crazy, we think everyone should have the right to get their data deleted, not just the lucky ones who live under strong privacy laws.
Speaking of having control of your data, Kia… doesn’t always. Earlier this year, the car brand went viral for the worst reason. The “Kia Challenge” on TikTok led to hundreds of car thefts, including 14 reported crashes and eight fatalities, according to the United States’ National Highway Traffic Safety Administration. Thieves known as “The Kia Boyz” posted instructional videos about how to bypass the vehicles’ security system using only a USB cable. Kia ended up having to patch eight million cars to fix it. Dang, that is really not good. Call us a tough customer, but we believe taking control of someone else’s car should be more challenging than charging your phone.
Then there was the security researchers who discovered a security vulnerability in Kia (and Honda, Infiniti, Nissan, Acura), that he said could allow hackers to do things like use the vehicle's VIN number to remotely lock/unlock the car, start/stop the car, flash the lights, honk the horn, take over the user's account, disclose personal information, lock the user out of managing their vehicle, change ownership, and "for Kia’s specifically, we could remotely access the 360-view camera and view live images from the car." Not good.
Kia's stakeholder company, the Hyundai Motor Group also suffered a data breach that exposed the personal information of French and Italian car owners who booked a test drive. And last year the company made (another) pretty embarrassing misstep when they used an encryption key that was copied from an example, allowing a software developer to “hack” a Hyundai’s software with a simple Google search. Ouf. Finally, we couldn't confirm whether Kia meets our Minimum Security Standards because we're not sure if all the data that sits on the car is encrypted. We asked, but Kia didn't answer any of our emails.
Kia’s slogan is “Movement that inspires” but after reading their privacy policies all we’re feeling inspired to do is take the bus. What could happen if something goes wrong? We don’t have to think too hard because of the ways Kia’s poor privacy and security practices have already impacted drivers. Kia’s stores of ultra-private information about you could get into worse hands because of their sloppy security. Or, TikTokers might find another embarrassingly simple way to take control of Kia owners’ cars that puts drivers' lives at risk. Kia, the next time you go to workshop your logo, we suggest you take another stab at your privacy policies instead. Until then, you should know that Kia comes with *Privacy Not Included.
Tips to protect yourself
- Be mindful that Kia Connect Services may contain content that is supplied by third parties. For example, a link may take you away from a Kia Connect Services page and onto a third party's website or application. These other websites and applications are subject to different privacy policies.
- When presented with an option on Kia Connect Services to receive certain information and/or marketing offers directly from third parties or to have Kia send certain information to third parties or give them access to it, say NO.
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
What can be used to sign up?
What data does the company collect?
"Name, postal address, unique personal identifiers, online identifiers, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers; signature, Social Security number, physical characteristics, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education or employment information, financial account numbers, medical information, or health insurance information; age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex and gender information, veteran or military status, or genetic information; precise geolocation, racial or ethnic origin, religious or philosophical beliefs; union membership; genetic data; unique biometric information; contents of certain mail, emails, and text messages; or health, sex life or sexual orientation information, education records directly related to a student maintained by an educational institution or party acting on its behalf (e.g., grades, transcripts, schedules, and student ID numbers), Inferences drawn from the above information that may reflect your preferences, characteristics, predispositions, behavior, attitudes, or similar behavioral information. Vehicle Information: "information about your Vehicle's operation, performance and condition, including such things as diagnostic trouble codes, oil life remaining, tire pressure, fuel economy and odometer readings, battery use management information, battery charging history, battery deterioration information, electrical system functions; (ii) driver behavior information, such as the actual or approximate speed of your Vehicle, seat belt use, information about braking habits and information about collisions involving your Vehicle and which air bags have deployed; (iii) information about your use of the Vehicle and its features, such as whether you have paired a mobile Device with your Vehicle; (iv) the precise geographic location of your Vehicle; (v) data about remote services we may make available such as remote lock/unlock, start/stop charge, parking location, climate control, charge schedules, and Vehicle status check; (vi) when there is a request for service made; and (vii) information about the Vehicle itself (such as the vehicle identification number (VIN), model, model year, trim, selling dealer, servicing dealer, date of purchase or lease and service history"
“unique biometric information”
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In February 2023, Kia and Hyundai had to patch 8 million cars, after the so-called “Kia Challenge” on the social media platform had led to hundreds of car thefts nationwide, including at least 14 reported crashes and eight fatalities, according to the National Highway Traffic Safety Administration. Thieves known as “the Kia Boyz” would post instructional videos about how to bypass the vehicles’ security system using tools as simple as a USB cable. The problem was so bad, some car insurers stopped insuring the impacted models of Kia and Hyundai cars."
In January 2023, a security researcher released information on security flaws in Kia's cars that could all hackers to use the vehicle's VIN number to do things like remotely lock/unlock the car, start/stop the car, flash the lights, honk the horn, take over the user's account, diclose personal information, lock the user out of managing their vehicle, change ownership, and "for Kia’s specifically, we could remotely access the 360-view camera and view live images from the car."
In February 2021, Kia Motors America suffered a ransomware attack by the DoppelGanger gang, demanding $20 million for a decryptor and not to leak stolen data.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Kia's privacy policies too often left us confused and wondering what exactly they meant with many of their privacy policies and practices.
Links to privacy information
Does this product meet our Minimum Security Standards?
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
In February 2023, Kia and Hyundai had to patch 8 million cars, after the so-called “Kia Challenge” on the social media platform had led to hundreds of car thefts nationwide, including at least 14 reported crashes and eight fatalities, according to the National Highway Traffic Safety Administration. Thieves known as “the Kia Boyz” would post instructional videos about how to bypass the vehicles’ security system using tools as simple as a USB cable. "
You can report vulnerabilities here.
Kia Advanced Driving Assistance Systems includes Forward Collision-Avoidance Assist, Blind-Spot Collision Warning, Lane Keeping Assist, etc. These features are enabled by numerous cameras, sensors and radars on the car.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Your Car Is Tracking You Just as Much as Your Smartphone Is—and Your Data Is at RiskThe Drive
Hyundai and Kia forced to update software on millions of vehicles because of viral TikTok challengeThe Verge
Kia, Hyundai are easy targets for thieves, insurance data confirmsCNN
Kia Motors America suffers ransomware attack, $20 million ransomBleeping Computer
From Ferrari to Ford, Cybersecurity Bugs Plague Automotive SafetyDark Reading
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and MoreSam Curry
Hackers Can Clone Millions of Toyota, Hyundai, and Kia KeysWired
Got a comment? Let us hear it.