Hackers Could Have Remotely Controlled Kia Cars With Only License Plates

A group of independent cybersecurity experts has disclosed a set of now patched critical vulnerabilities in Korean automaker Kia Corp.โ€™s dealer portal that could have allowed threat actors to remotely control key functions of Kia cars made after 2013 using just their license plates.

“These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription,” said security researchers Neiko Rivera, Justin Rhinehart, Ian Carroll, and Sam Curry, a prominent security researcher and bug bounty hunter.

These flaws, discovered on June 11th, 2024, also exposed sensitive personal information of the car owner, including their name, phone number, email address, and physical address.

Additionally, they could have enabled the attacker to add themselves as an invisible second user on the victim’s vehicle without the owners’ knowledge.

To demonstrate the impact of the vulnerabilities, the researchers built a tool and recorded proof of concept using a locked rental Kia.

 

For those unaware, Kia makes use of a dealer website to activate newly purchased vehicles and manage connected car features.

โ€œWe learned that Kia would ask for your email address at the dealership and you’d receive a registration link to either register a new Kia account or add your newly purchased vehicle to your pre-existing Kia account,โ€ the researchers said.

To gain access to the dealer portal, the researchers successfully registered a dealer account on Kia’s kiaconnect.kdealer.com, logged in, and obtained a valid access token for the dealerโ€™s system.

The token allowed them to access the backend dealer APIs, which could be used to generate the Dealer Token and retrieve the โ€œtokenโ€ header from the HTTP Response, access sensitive owner information such as email address and phone number, modify owner’s previous access using leaked email address and VIN (vehicle identification number), and add an attacker-controlled email to the victim’s vehicle, allowing complete access to the car’s remote controls.

“The HTTP response contained the vehicle owner’s name, phone number, and email address. We were able to authenticate into the dealer portal using our normal app credentials and the modified channel header,” the researchers pointed out.

“From the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified. An attacker could resolve someone’s license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk.”

The researchers carried out their hack on almost all vehicles made after 2013 up to the 2025 model year, which included the Carnival, Forte, K5, EV6, EV9, Niro, Sportage, Seltos, Soul, Sorento, Sedona, Stinger, Telluride, Rio, Optima, and more.

Curry and his fellow researchers responsibly disclosed the vulnerabilities to the Kia team on June 11, 2024, and the company remediated them on August 14, 2024. According to Kia, there is no evidence of these vulnerabilities being exploited maliciously in the wild.

“Cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to take over your Facebook account, car manufacturers could do the same for your vehicle,” the researchers concluded.

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

Read More

Suggested Post