Hackers Could Steal Millions of Kia Cars Using Just a License Plate

Security Researchers Uncover Critical Flaws in Kia Dealer Portal Exposing Millions of Cars to Remote Theft

A group of security researchers has discovered significant vulnerabilities in Kia’s dealer portal, enabling hackers to locate, unlock, and steal millions of Kia vehicles made after 2013 by using only the targeted car’s license plate. The findings were disclosed by the group, which includes Sam Curry, a prominent security researcher and bug bounty hunter.

Earlier Findings of Vulnerabilities in Other Car Manufacturers

This isn’t the first time Curry and his team have found critical security issues in automotive systems. Nearly two years ago, in 2022, they identified flaws in the systems of over a dozen automakers, including Ferrari, BMW, Porsche, and Rolls Royce. These vulnerabilities could have allowed criminals to remotely access over 15 million vehicles, enabling them to locate, unlock, start, and even disable the cars’ starters.

Discovery of Kia’s Vulnerabilities in 2024

Curry revealed that the vulnerabilities in Kia’s web portal, discovered on June 11th, 2024, could be exploited to control any Kia vehicle equipped with remote hardware in under 30 seconds. This was possible regardless of whether the vehicle had an active Kia Connect subscription, which typically governs remote access features. The flaws also exposed sensitive personal information of car owners, including names, phone numbers, email addresses, and physical addresses.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Demonstration of the Attack

To illustrate the danger, the researchers developed a proof-of-concept tool. By entering a vehicle’s license plate, an attacker could remotely lock or unlock the car, start or stop the engine, honk the horn, or track its location, all within 30 seconds. Crucially, these actions could be performed without the owner receiving any notification.

Exploiting the Dealer Portal

The attack began when the team registered a dealer account on Kia’s official dealer portal, kiaconnect.kdealer.com. Once logged in, they generated a valid access token from the portal’s backend APIs. This token provided access to critical vehicle and owner information, including control over the car’s remote systems. Using this access, attackers could:

• Generate a dealer token and retrieve it via the HTTP response.
• Access sensitive owner information such as email addresses and phone numbers.
• Modify the owner’s permissions to add an attacker-controlled email, granting remote command access to the vehicle.

With the vehicle’s VIN (Vehicle Identification Number), attackers could remotely track, unlock, or start the car without the owner’s consent.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link