Unauthorized Access to Kia Vehicles Controlled by Hackers Through License Plates
A group of cybersecurity experts has revealed a series of recently fixed weaknesses in Kia automobiles that, if effectively utilized, could have enabled remote manipulation of essential operations solely by utilizing a license plate.
“These breaches could have been triggered remotely on any hardware-equipped vehicle in approximately 30 seconds, regardless of whether or not it had an active Kia Connect subscription,” the group of security specialists Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll stated.
The concerns affect nearly all vehicles manufactured post-2013, even enabling intruders to secretly obtain sensitive details such as the target’s name, phone number, email address, and residential address.
Essentially, this could then be misused by a hostile entity to incorporate themselves as an “undetectable” secondary user in the car without the owner’s awareness.
The core of the study lies in the fact that the vulnerabilities exploit the Kia dealership infrastructure (“kiaconnect.kdealer[.]com”) used for vehicle activations to enroll for a counterfeit account via an HTTP request and then produce access tokens.
The token is subsequently utilized in cooperation with another HTTP request to a dealer APIGW endpoint and the vehicle identification number (VIN) of a car to fetch the vehicle owner’s name, phone number, and email address.
Furthermore, the researchers discovered it’s feasible to access a victim’s car by simply issuing four HTTP requests, and finally executing internet-to-vehicle directives –
- Generate the dealer token and retrieve the “token” header from the HTTP response using the above-mentioned approach
- Retrieve the victim’s email address and phone number
- Alter the owner’s former access by using the leaked email address and VIN number to insert the attacker as the main account holder
- Incorporate the attacker to the victim’s vehicle by adding an email address under their control as the primary owner of the vehicle, thereby enabling the execution of arbitrary commands
“From the victim’s perspective, there was no alert that their vehicle had been accessed or their access rights altered,” the researchers emphasized.
“An attacker could determine someone’s plate number, input their VIN through the API, then monitor them passively and send active commands like unlock, start, or honk.”
In a theoretical intrusion scenario, a malicious entity could input the license plate details of a Kia car into a specialized dashboard, access the victim’s data, and then initiate commands on the vehicle within approximately 30 seconds.
Following responsible disclosure in June 2024, Kia resolved the vulnerabilities by August 14, 2024. There is no indication that these vulnerabilities were ever exploited in real-life situations.
“Vehicles will always possess vulnerabilities, as just like Meta can introduce a code alteration which could allow someone to seize control of your Facebook account, car manufacturers could enact a similar situation for your vehicle,” the researchers noted.
About Author
