Major Security Flaw Allowed Remote Control of Kia Vehicles Using Only License Plates
Major Security Flaw Allowed Remote Control of Kia Vehicles Using Only License Plates
In June 2024, security researchers Sam Curry and Specter uncovered a severe vulnerability affecting millions of Kia vehicles that allowed remote attackers to take control of key vehicle functions using nothing more than a license plate number. This critical flaw, which has since been patched, exposed Kia owners to significant privacy and safety risks for an extended period.
The Vulnerability The researchers discovered they could exploit weaknesses in Kia's dealer and owner portal systems to:
- Obtain the vehicle identification number (VIN) from a license plate
- Retrieve the owner's personal information including name, email, and phone number
- Remove the legitimate owner's primary access to the vehicle
- Add themselves as the new primary account holder
Once added as the primary account, the attacker could:
- Remotely locate the vehicle
- Lock and unlock doors
- Start and stop the engine
- Activate the horn and lights
Alarmingly, this entire process could be completed in about 30 seconds without any notification to the legitimate owner. The vulnerability affected a wide range of Kia models from 2021 onwards, including popular vehicles like the Telluride, Sorento, and K5.
How It Worked The attack exploited several weaknesses in Kia's systems:
- The ability to register as a "dealer" on Kia's dealer portal using regular customer credentials
- Insufficient access controls allowing registered "dealers" to access sensitive owner information and vehicle management functions
- The ability to demote a vehicle's primary owner and add a new primary owner without verification
The researchers created a proof-of-concept tool demonstrating how easily an attacker could take over vehicles:
- Enter a target vehicle's license plate
- Convert the license plate to a VIN using a third-party service
- Use the VIN to retrieve the owner's personal information from Kia's systems
- Demote the legitimate owner's account access
- Add the attacker's account as the new primary owner
- Gain full remote control over the vehicle
Impact and Implications
This vulnerability posed severe risks to Kia owners:
Privacy: Attackers could obtain personal information and track vehicle locations. Safety: The ability to remotely control vehicle functions could be used maliciously. Theft: Unlocking and starting vehicles remotely could facilitate theft. Stalking: The location tracking feature could enable dangerous stalking behavior.
The ease and speed with which vehicles could be compromised made this vulnerability particularly concerning. An attacker with automated tools could potentially take over large numbers of vehicles in a short time.
Responsible Disclosure The research team followed responsible disclosure practices:
- June 11, 2024: Vulnerability reported to Kia
- June-August 2024: Researchers followed up multiple times due to the severity
- August 14, 2024: Kia confirmed the vulnerability had been patched
- September 26, 2024: Researchers publicly disclosed the now-fixed vulnerability
Kia's Response While Kia eventually fixed the vulnerability, the researchers noted some concerns with the company's handling of the report:
- Slow initial response despite the critical nature of the flaw
- Limited communication during the remediation process
- No public announcement or customer notification about the vulnerability
Lessons for the Automotive Industry This incident highlights several key issues for automakers in the connected car era:
- API Security: Robust access controls and authentication are crucial for vehicle management APIs.
- Third-Party Risk: Vulnerabilities in dealer or partner portals can have major security implications.
- Principle of Least Privilege: Systems should limit access to only what's necessary for each user type.
- Security by Design: Vehicle architectures need to be designed with security as a primary consideration.
- Incident Response: Companies need clear processes for quickly addressing critical security reports.
- Transparency: Automakers should consider notifying customers about significant patched vulnerabilities.
Protecting Your Vehicle While this specific vulnerability has been fixed, Kia owners (and all connected car users) should take steps to protect themselves:
- Keep vehicle software and associated mobile apps up-to-date
- Use strong, unique passwords for vehicle accounts
- Be cautious about granting access to your vehicle through companion apps
- Monitor your vehicle account for any suspicious activity
- Consider periodically changing your vehicle account password
The Broader Context This Kia vulnerability is part of a larger trend of security issues in connected vehicles. As cars become more technologically advanced and internet-connected, they also become more vulnerable to cyber attacks. Recent years have seen similar vulnerabilities discovered in vehicles from Tesla, Honda, Nissan, and others.
The incident serves as a wake-up call for the entire automotive industry. As vehicles increasingly resemble computers on wheels, manufacturers must prioritize cybersecurity to the same degree as physical safety features. Robust security practices, regular third-party audits, and bug bounty programs are becoming essential in the modern automotive landscape.
Conclusion The discovery of this Kia vulnerability underscores the complex security challenges facing automakers in the connected car era. While the specific issue has been resolved, it serves as a stark reminder of the potential risks associated with increasingly computerized and internet-connected vehicles.
As cars continue to evolve technologically, close collaboration between automakers, security researchers, and regulators will be essential to ensure that our vehicles remain both innovative and secure. For consumers, staying informed about their vehicle's technology and practicing good digital hygiene will be increasingly important aspects of car ownership in the years to come.
If you want to learn about all the ins and out of this attack, check out their write up in the following link: https://samcurry.net/hacking-kia#attempted-http-request-to-search-vin-using-kia-dealer-apigw-endpoint