A security flaw has been identified in the keyless entry systems (KES) used extensively in KIA vehicles across Ecuador, exposing thousands of cars to a severe risk of theft. This vulnerability, officially catalogued as CVE-2025-6029, centers around outdated technology in aftermarket key fobs homologated and distributed by KIA Ecuador. The affected models include the Kia Soluto, Rio, and Picanto from 2022 through 2025.
The Nature of the KIA Vulnerability (CVE-2025-6029)
The Keyless Entry Vulnerability was discovered by Danilo Erazo, an independent hardware security researcher, ethical hacker, and founder of Reverse Everything. Erazo has been studying vehicle security extensively, particularly focusing on the hardware and radio frequency (RF) protocols behind key fobs used in Latin America. His research highlights a critical flaw in the KES installed on many KIA vehicles in Ecuador: the continued use of “learning code” technology, rather than more secure rolling codes.
Most modern vehicles globally employ rolling code technology, which changes the access code every time the key fob is used, drastically reducing the risk of replay attacks or key cloning. Rolling codes became widespread in vehicle security systems in the mid-1990s and have been standard in Latin America since the early 2000s. In contrast, the vulnerable KIA key fobs use fixed learning codes—static codes that remain the same every time the key fob transmits a signal.
What Are Learning Codes?
Learning codes are programmable fixed codes stored both in the vehicle’s receiver and in the key fob transmitter. Unlike fixed codes that are permanently hardwired, learning codes can be reprogrammed. Each vehicle typically supports up to four learning codes, allowing multiple keys to be programmed to the same car. However, these codes do not change dynamically with each use, leaving them open to exploitation via replay or cloning attacks.
An attacker can capture the radio frequency signal transmitted by the key fob using specialized antennas or Software Defined Radio (SDR) devices, then replay this exact signal to unlock the vehicle—hence the vulnerability’s name, the Keyless Entry Vulnerability.
The HS2240 and EV1527 Chips
KIA Ecuador key fobs from 2022 and early 2023 utilize the HS2240 chip, while models from 2024 and 2025 employ the EV1527 chip. Both chips rely on the same insecure learning code technology. These chips have approximately 1 million possible fixed code combinations, but with brute force methods, hackers can systematically attempt all codes to gain unauthorized access.
In addition to replay and brute force attacks, the system allows “backdoor” vulnerabilities. Since the vehicle receiver accepts up to four learning codes, malicious actors can potentially add their own fixed codes, granting permanent unauthorized access without the owner’s knowledge. This backdoor could be introduced anywhere along the production or supply chain before the vehicle reaches the customer.
The vulnerability affects thousands of KIA vehicles across Ecuador, with confirmed cases involving Kia Soluto, Rio, and Picanto models from 2022 to 2025. Theft incidents in public and private parking lots have been linked to this weakness. Although this issue has been publicly disclosed in Ecuador, it is believed that other Latin American countries also use similarly vulnerable KES in vehicles.
This security gap is exacerbated by the fact that KIA Ecuador not only installs these key fobs but also officially homologates and distributes them. Interestingly, these vulnerable key fobs are even available for purchase on the KIA Ecuador website, despite not being original equipment manufacturer (OEM) parts.
Conclusion
Danilo Erazo’s research on CVE-2025-6029 revealed how KIA vehicles in Ecuador with learning code-based keyless entry systems (KES) are vulnerable to replay attacks, brute forcing, and backdoor access. Danilo Erazo and other experts stress the urgent need to replace these outdated learning code fobs with rolling code technology and call on manufacturers to phase out vulnerable KES. The vulnerability also poses a global risk due to overlapping fixed code ranges.
