A set of security flaws in Kia cars that have since been fixed have allowed remote control of significant functions with just a license plate.
In roughly thirty seconds, these attacks could be carried out remotely on any hardware-equipped vehicle, even if it didn’t have a current Kia Connect membership.
The name, phone number, email address, and physical address of the victim are among the personal details that an attacker could stealthily steal. This would enable the attacker to secretly join oneself to the victim’s vehicle as an invisible second user.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
The Attack Flow
According to Sam Curry’s blog, Kia will ask for your email address at the dealership and send you a registration link so you may either create a new Kia account or add your newly purchased vehicle to an existing Kia account.
The token parameter, also referred to as a VIN Key, in the kiaconnect.kdealer.com domain is an access token that is created once by a Kia dealer and allows them to change the vehicle that is indicated in the vin parameter.
The HTTP request will be sent to verify that the token hasn’t expired or been used.
Experts used their own dealer token and the vehicle’s VIN to create the HTTP request to the dealer APIGW endpoint; the HTTP response included the name, phone number, and email address of the vehicle owner.
The blog post states, “We were able to authenticate into the dealer portal using our normal app credentials and the modified channel header. This meant that we could likely hit all other dealer endpoints.”
To access a victim’s vehicle, four HTTP requests could potentially be sent, such as:
- Generate the Dealer Token and retrieve the “token” header from the HTTP Response.
- Fetch Victim’s Email Address and Phone Number.
- Modify Owner’s Previous Access using Leaked Email Address and VIN number.
- Add Attacker to Victim Vehicle: The attacker-controlled email is designated as the primary owner of the vehicle. This will enable us to give arbitrary commands to the vehicle.
The victim was not notified that their car had been accessed or that their access permissions had been changed.
By resolving a person’s license plate and using the API to obtain their VIN, an attacker may follow a victim passively and issue active orders like unlock, start, or honk.
According to experts, cars will continue to be vulnerable because, just as Meta might propose a code modification that would allow someone to take over your Facebook account, car manufacturers could do the same for your vehicle.
The vulnerabilities were reported to the Kia Team on June 11th, 2024, and as of August 14th, 2024, Kia had fixed the issues. The Kia team has confirmed that this flaw has never been exploited maliciously.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free