Cybersecurity researchers have revealed a series of now-patched vulnerabilities in Kia vehicles that could have provided access and remote control to hackers simply by using a license plate. “These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription,” security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll said.
The issues affect almost all vehicles manufactured after 2013 and even allow attackers to secretly access sensitive information such as the victim’s name, phone number, email address and postal address.
Basically, this could be misused by the attacker to secretly add themselves as an “invisible” second user of the car without the owner’s knowledge.
Basically, the attacker could abuse this to add themselves as a second “invisible” user in the car without the knowledge of the owner.
Millions of Kia Cars Vulnerable to Cyber Attacks
The research says the issues exploit the Kia dealership’s vehicle activation infrastructure (“kiaconnect.kdealer[.]com”) to create a fake account via an HTTP request and then authorise access to generate digital tokens.
The token is then used in conjunction with another HTTP request to a dealership’s APIGW endpoint and a car’s vehicle identification number (VIN) to fetch the vehicle owner’s name, phone number, and email address.
How Hackers Could Unlock Your Kia Car?
Furthermore, the researchers discovered that it is possible to access a victim’s vehicle by simply making four HTTP requests and finally running Internet commands to the vehicle.
- Generate the dealer token and obtain the “Token” header from the HTTP response using the method above.
- Obtain the victim’s email address and phone number.
- Edit the owner’s previous access using the leaked email address and VIN number to add the attacker as the primary account holder.
- Add the hacker to the victim’s vehicle by adding an email address that they control as the primary owner, which will allow arbitrary commands to be executed.
“From the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified,” the researchers pointed out.
“An attacker could resolve someone’s license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk.”
In a hypothetical attack scenario, a malicious actor could enter a Kia vehicle’s license plate number into a custom dashboard, obtain the victim’s information, and then, after about 30 seconds, execute commands on the vehicle.
Is Your Car Safe in India?
Indians should not panic as this report is currently specific to the US and no proof of such vulnerability has not been found in India. After the revelation in June 2024, Kia patched the shortcomings on August 14, 2024.
“Cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to take over your Facebook account, car manufacturers could do the same for your vehicle,” the researchers said.