Major Vulnerabilities Found in Kia Vehicles Could Allow Remote Control via License Plates

Overview 

Cybersecurity researchers have uncovered a series of vulnerabilities in Kia vehicles that could have enabled hackers to remotely control critical functions using just a license plate number. These security flaws, which have since been patched, could affect nearly all Kia models manufactured after 2013. 

Remote Access Risks 

According to researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll, the vulnerabilities could be exploited in under 30 seconds, even on vehicles without an active Kia Connect subscription. The implications of such breaches are serious, allowing unauthorized access to sensitive owner information, including names, phone numbers, emails, and physical addresses. 

Exploitation Mechanism 

The vulnerabilities leverage the Kia dealership infrastructure, specifically a service used for vehicle activations (kiaconnect.kdealer[.]com). Attackers could create fake accounts through a simple HTTP request, generating access tokens that could then be exploited. 

Once the attacker possesses the necessary token, they can issue additional HTTP requests to access the vehicle’s information, such as the owner’s personal details. The research indicates that gaining access to a victim’s vehicle could be accomplished by executing just four HTTP requests: 

1. Generate a dealer token and extract the token from the HTTP response. 

2. Fetch the victim’s email address and phone number. 

3. Alter the owner’s access permissions using the leaked email and VIN. 

4. Add the attacker’s email as the primary account holder, allowing them to issue commands remotely. 

As noted by the researchers, this process occurs without any notification to the vehicle owner, making it difficult for them to detect unauthorized access or modifications to their vehicle’s access permissions. 

Potential Attack Scenarios 

In a typical attack scenario, a hacker could input the license plate number into a custom dashboard, retrieve the associated owner information, and then execute commands on the vehicle within approximately 30 seconds. This could enable the attacker to unlock the car, start the engine, or even honk the horn without the owner’s knowledge. 

Response from Kia 

Following a responsible disclosure of these vulnerabilities in June 2024, Kia took action and addressed the flaws by August 14, 2024. Importantly, there is no evidence that these vulnerabilities were exploited in real-world attacks. 

Conclusion 

While Kia has implemented fixes to mitigate these vulnerabilities, the incident underscores a broader concern in the automotive industry regarding cybersecurity. As vehicles become increasingly connected, the potential for such vulnerabilities remains, highlighting the need for manufacturers to prioritize security in their designs. 

The researchers concluded that, similar to vulnerabilities in software platforms, car manufacturers could inadvertently introduce flaws that compromise vehicle security. Therefore, continued vigilance and proactive measures are essential in safeguarding connected vehicles against emerging threats.