Cybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia autos that, if efficiently exploited, may have allowed distant management over key capabilities just by utilizing solely a license plate.
“These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription,” safety researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll stated.
The problems impression virtually all autos made after 2013, even letting attackers covertly achieve entry to delicate info together with the sufferer’s title, cellphone quantity, e mail handle, and bodily handle.
Basically, this might then be abused by the adversary so as to add themselves as an “invisible” second consumer on the automotive with out the proprietor’s data.
The crux of the analysis is that the problems exploit the Kia dealership infrastructure (“kiaconnect.kdealer[.]com”) used for car activations to register for a faux account by way of an HTTP request after which generate entry tokens.
The token is subsequently used together with one other HTTP request to a vendor APIGW endpoint and the car identification quantity (VIN) of a automotive to acquire the car proprietor’s title, cellphone quantity, and e mail handle.
What’s extra, the researchers discovered that it is doable to realize entry to a sufferer’s car by as trivially as issuing 4 HTTP requests, and finally executing internet-to-vehicle instructions –
- Generate the vendor token and retrieve the “token” header from the HTTP response utilizing the aforementioned methodology
- Fetch sufferer’s e mail handle and cellphone quantity
- Modify proprietor’s earlier entry utilizing leaked e mail handle and VIN quantity so as to add the attacker as the first account holder
- Add attacker to sufferer car by including an e mail handle beneath their management as the first proprietor of the car, thereby permitting for working arbitrary instructions
“From the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified,” the researchers identified.
“An attacker could resolve someone’s license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk.”
In a hypothetical assault state of affairs, a nasty actor may enter the license plate of a Kia car in a customized dashboard, retrieve the sufferer’s info, after which execute instructions on the car after round 30 seconds.
Following accountable disclosure in June 2024, the issues have been addressed by Kia as of August 14, 2024. There isn’t a proof that these vulnerabilities have been ever exploited within the wild.
“Cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to take over your Facebook account, car manufacturers could do the same for your vehicle,” the researchers stated.
