Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Millions of Kia Cars Were Vulnerable to Remote Hacking

Security researchers detail vulnerabilities in Kia owners’ portal that allowed them to control vehicles remotely.

Kia remote hack

Vulnerabilities in a website dedicated to Kia vehicle owners could have allowed attackers to remotely control millions of cars, security researcher Sam Curry says.

The issues, the researcher explains, could have allowed attackers to gain control of key vehicle functions in roughly 30 seconds, using only the car’s license plate.

Furthermore, the bugs allowed the attackers to harvest the victim’s personal information, such as name, address, email address, and phone number, and to create a second user on the vehicle, without the owner’s knowledge.

Curry and three other researchers discovered that the Kia owners’ site could execute internet-to-vehicle commands and that it relied on backend reverse-proxy to redirect commands to an API responsible for command execution.

The researchers also discovered that Kia’s dealer infrastructure had a similar mechanism that proxied requests related to vehicle lookup, account lookup, vehicle enrollment, and other dealership functionality.

After registering on the Kia dealer website – a link to it is sent via email to new users for registration purposes – using the same request used when registering to the owners’ portal, the researchers could generate an access token that allowed them to call the backend dealer APIs.

“The HTTP response contained the vehicle owner’s name, phone number, and email address. We were able to authenticate into the dealer portal using our normal app credentials and the modified channel header. This meant that we could likely hit all other dealer endpoints,” Curry explains.

The newly acquired access allowed the researchers to retrieve the personal information of a user, then replace the user’s email address and add themselves as the primary account holders, which then allowed them to send arbitrary commands to the vehicle.

Advertisement. Scroll to continue reading.

“From the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified. An attacker could resolve someone’s license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk,” Curry explains.

The issues were reported to Kia in June 2024. The carmaker acknowledged the flaws and started working on a fix that was implemented in mid-August.

In the meantime, the researchers built a proof-of-concept (PoC) dashboard that would allow an attacker to type in a license plate, retrieve the owner’s personal information, and start executing commands on the vehicle.

According to Curry, the vulnerabilities could be exploited to send commands to “pretty much any Kia vehicle made after 2013”.

Related: Ban Sought for Chinese, Russian Software and Hardware Used in Autonomous Vehicles on US Roads

Related: Second Pwn2Own Automotive Contest Offers Over $1 Million in Prizes

Related: EFF Issues New Warning After Discovery of Automated License Plate Reader Vulnerabilities

Related: New Vehicle Hack Exposes Users’ Private Data Via Bluetooth

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.