Cybersecurity researchers discovered a series of vulnerabilities in Kia vehicles, now patched, that, if successfully exploited, could have allowed key functions to be remotely controlled simply by using just a number plate.
“These attacks could be performed remotely on any vehicle equipped with the hardware in about 30 seconds, regardless of whether it had an active Kia Connect subscription,” security researchers Naika Rivera, Sam Currie, Justin Rinehart and Ian Carroll said.
The problems affect nearly all cars manufactured after 2013, even allowing attackers to secretly access sensitive information, including a victim’s name, phone number, email address and physical address.
Essentially, an adversary can abuse this to add themselves as an “invisible” second user of the vehicle without the owner’s knowledge.
The gist of the investigation is that the issues use Kia’s dealership infrastructure (“kiaconnect.kdealer(.)com”), which is used to activate the vehicle, to register a fake account via an HTTP request and then generate access tokens.
The token is then used in conjunction with another HTTP request to the dealer’s APIGW endpoint and the Vehicle Identification Number (VIN) to retrieve the vehicle owner’s name, phone number, and email address.
What’s more, the researchers discovered that gaining access to a victim’s vehicle could be as simple as sending four HTTP requests and ultimately executing Internet Car commands –
- Create a dealer token and get the “token” header from the HTTP response using the above method
- Get the victim’s email address and phone number
- Change previous owner access using email address and VIN to add attacker as primary account owner
- Add the attacker to the victim vehicle by adding an email address under their control as the primary owner of the vehicle, allowing them to run arbitrary commands
“There was no notification from the victim that their vehicle was accessed, and their access permissions were not changed,” the researchers noted.
“An attacker can decipher someone’s license plate, enter their VIN through an API, then passively track them and send active commands such as unlock, start, or beep.”
In a hypothetical attack scenario, an attacker could enter a Kia’s license plate number on a special dashboard, get the victim’s information, and then execute commands on the car in about 30 seconds.
After a responsible disclosure in June 2024, the flaws were fixed by Kia as of August 14, 2024. There is no evidence that these vulnerabilities were ever exploited in the wild.
“Cars will still have vulnerabilities, because in the same way that Meta could make code changes that would allow someone to take over your Facebook account, car manufacturers could do the same to your car,” the researchers said .
