Cybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia vehicles that, if successfully exploited, could have allowed remote control over key functions simply by using only a license plate.

"These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription," security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll said.

The issues impact almost all vehicles made after 2013, even letting attackers covertly gain access to sensitive information including the victim's name, phone number, email address, and physical address.

Essentially, this could then be abused by the adversary to add themselves as an "invisible" second user on the car without the owner's knowledge.

The crux of the research is that the issues exploit the Kia dealership infrastructure ("kiaconnect.kdealer[.]com") used for vehicle activations to register for a fake account via an HTTP request and then generate access tokens.

The token is subsequently used in conjunction with another HTTP request to a dealer APIGW endpoint and the vehicle identification number (VIN) of a car to obtain the vehicle owner's name, phone number, and email address.


Sep 26, 2024Ravie LakshmananAutomotive Industry / Technology
Remotely Controlled Kia Cars

Cybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia vehicles that, if successfully exploited, could have allowed remote control over key functions simply by using only a license plate.

"These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription," security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll said.

The issues impact almost all vehicles made after 2013, even letting attackers covertly gain access to sensitive information including the victim's name, phone number, email address, and physical address.
Cybersecurity

Essentially, this could then be abused by the adversary to add themselves as an "invisible" second user on the car without the owner's knowledge.

The crux of the research is that the issues exploit the Kia dealership infrastructure ("kiaconnect.kdealer[.]com") used for vehicle activations to register for a fake account via an HTTP request and then generate access tokens.

The token is subsequently used in conjunction with another HTTP request to a dealer APIGW endpoint and the vehicle identification number (VIN) of a car to obtain the vehicle owner's name, phone number, and email address.

What's more, the researchers found that it's possible to gain access to a victim's vehicle by as trivially as issuing four HTTP requests, and ultimately executing internet-to-vehicle commands -

- Generate the dealer token and retrieve the "token" header from the HTTP response using the aforementioned method
- Fetch victim's email address and phone number
- Modify owner's previous access using leaked email address and VIN number to add the attacker as the primary account holder
- Add attacker to victim vehicle by adding an email address under their control as the primary owner of the vehicle, thereby allowing for running arbitrary commands

"From the victim's side, there was no notification that their vehicle had been accessed nor their access permissions modified," the researchers pointed out.

"An attacker could resolve someone's license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk."

In a hypothetical attack scenario, a bad actor could enter the license plate of a Kia vehicle in a custom dashboard, retrieve the victim's information, and then execute commands on the vehicle after around 30 seconds.

Following responsible disclosure in June 2024, the flaws were addressed by Kia as of August 14, 2024. There is no evidence that these vulnerabilities were ever exploited in the wild.

"Cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to take over your Facebook account, car manufacturers could do the same for your vehicle," the researchers said.


Note: If this article has helped, please feel free to share. If you'd like to participate and post an article, please send your submissions to info@certificationpoint.org


—————————————---
MARKETING & PROMOTION
—————————————---

Check Out Our Video!
A Smarter Way To Collaborate: https://m.youtube.com/watch?v=hyRxJvIXNR0

Register @ CertificationPoint!
—————————————
https://www.certificationpoint.org/member/index.php?command=signup_page

Find Out More About Student FreelanceWork EXperience Builders
——————————————————————————--------
http://www.certificationpoint.org/stude ... elance.php

Take An Exam Today @ CertificationPoint
——————————--------------------------
http://certificationpoint.net/register.php

APPRENTICESHIPS @ CERTIFICATIONPOINT
——————————-----------------------------------
http://www.certificationpoint.org/Apprenticeship.php

INVESTING IN CERTIFICATIONPOINT
——————————-----------------------
http://www.certificationpoint.org/invest.php

SOCIAL MEDIA
———————
Find us on Twitter: https://twitter.com/@certpointorg
Find us on Facebook: https://www.facebook.com/CertificationPoint
Find us on Google+: https://plus.google.com/117737803640713546061
Find us on Instagram: https://www.instagram.com/certificationpoint/
Find us on Tumblr: https://www.tumblr.com/blog/certificationpoint
Find us on LinkedIn: https://www.linkedin.com/in/certification-point-65a1642b
Find us on Pinterest: https://www.pinterest.com/certoken/

Additional Options For SHARING CertificationPoint
——————————————————-------------
https://www.scribd.com/document/696921433/CertificationPoint-Manifesto
https://www.scribd.com/document/696921430/CertificationPoint-Student-Poster
https://www.scribd.com/document/696921429/CertificationPoint-Student-Flyer
https://www.scribd.com/document/696921428/CertificationPoint-Inc-Course-Catalog-2024
https://www.scribd.com/document/696921427/CertificationPoint-Magazine