Cybersecurity researchers have uncovered and reported a series of now-patched vulnerabilities in Kia vehicles that could have allowed malicious actors to gain remote control over key vehicle functions using only a license plate number. The flaws, affecting almost all Kia models manufactured since 2013, potentially exposed sensitive owner information and allowed attackers to add themselves as undetected secondary users to targeted vehicles.
The vulnerabilities exploited weaknesses in Kia's dealership infrastructure, specifically the vehicle activation system. By manipulating this system through a series of HTTP requests, attackers could generate access tokens, retrieve vehicle and owner information, and ultimately gain control over the vehicle. This process could be completed in as little as 30 seconds, regardless of whether the vehicle had an active Kia Connect subscription.
The researchers demonstrated that with just four HTTP requests, an attacker could obtain a dealer token, access the victim's contact information, modify ownership details, and add themselves as the primary owner of the vehicle. This level of access would allow the execution of various commands, including unlocking, starting, or tracking the vehicle, all without the legitimate owner's knowledge or consent.
Kia addressed these vulnerabilities on August 14, 2024, following the researchers' responsible disclosure in June 2024. While there is no evidence of these flaws being exploited in the wild, the incident highlights the ongoing cybersecurity challenges faced by the automotive industry. The researchers emphasize that as vehicles become increasingly connected, manufacturers must remain vigilant in identifying and addressing potential vulnerabilities to protect their customers' safety and privacy.
The vulnerabilities exploited weaknesses in Kia's dealership infrastructure, specifically the vehicle activation system. By manipulating this system through a series of HTTP requests, attackers could generate access tokens, retrieve vehicle and owner information, and ultimately gain control over the vehicle. This process could be completed in as little as 30 seconds, regardless of whether the vehicle had an active Kia Connect subscription.
The researchers demonstrated that with just four HTTP requests, an attacker could obtain a dealer token, access the victim's contact information, modify ownership details, and add themselves as the primary owner of the vehicle. This level of access would allow the execution of various commands, including unlocking, starting, or tracking the vehicle, all without the legitimate owner's knowledge or consent.
Kia addressed these vulnerabilities on August 14, 2024, following the researchers' responsible disclosure in June 2024. While there is no evidence of these flaws being exploited in the wild, the incident highlights the ongoing cybersecurity challenges faced by the automotive industry. The researchers emphasize that as vehicles become increasingly connected, manufacturers must remain vigilant in identifying and addressing potential vulnerabilities to protect their customers' safety and privacy.