A bunch of safety researchers found crucial flaws in Kia’s supplier portal that would let hackers find and steal thousands and thousands of Kia automobiles made after 2013 utilizing simply the focused automobile’s license plate.
Virtually two years in the past, in 2022, a number of the hackers on this group, together with safety researcher and bug bounty hunter Sam Curry, discovered different crucial vulnerabilities impacting over a dozen automobile corporations that might’ve allowed criminals to remotely find, disable starters, unlock, and begin over 15 million automobiles made by Ferrari, BMW, Rolls Royce, Porsche, and different carmakers.
As we speak, Curry revealed that the Kia internet portal vulnerabilities found on June eleventh, 2024, could possibly be exploited to manage any Kia automobile outfitted with distant {hardware} in beneath 30 seconds, “regardless of whether it had an active Kia Connect subscription.”
The issues additionally uncovered automobile homeowners’ delicate private data, together with their identify, cellphone quantity, e mail handle, and bodily handle, and will have enabled attackers so as to add themselves as a second person on the focused automobiles with out the homeowners’ data.
To additional exhibit the difficulty, the group constructed a device displaying how an attacker may enter a automobile’s license plate and, inside 30 seconds, remotely lock or unlock the automobile, begin or cease it, honk the horn, or find the automobile.
The researchers registered a supplier account on Kia’s kiaconnect.kdealer.com supplier portal to achieve entry to this data.
As soon as authenticated, they generated a sound entry token that gave them entry to backend supplier APIs, giving them crucial particulars concerning the automobile proprietor and full entry to the automobile’s distant controls.
They discovered that attackers may use the backend supplier API to:
- Generate a supplier token and retrieve it from the HTTP response
- Entry the sufferer’s e mail handle and cellphone quantity
- Modify the proprietor’s entry permissions utilizing leaked data
- Add an attacker-controlled e mail to the sufferer’s automobile, permitting for distant instructions
“The HTTP response contained the vehicle owner’s name, phone number, and email address. We were able to authenticate into the dealer portal using our normal app credentials and the modified channel header,” Curry stated.
From there, attackers may enter a automobile’s VIN (automobile identification quantity) by way of the API and remotely observe, unlock, begin, or honk the automobile with out the proprietor’s data.
The Kia internet portal flaws allowed silent, unauthorized entry to a automobile since, as Curry defined, “from the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified.”
“These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously,” Curry added.
