September 26, 2024Ravie LakshmananAutomotive Industry / Technology
Cybersecurity researchers have uncovered a series of now-fixed vulnerabilities in Kia vehicles that could have been exploited to allow remote control of key functions using only the vehicle’s license plate number.
“These attacks can be carried out remotely in approximately 30 seconds against any vehicle equipped with the hardware, regardless of whether or not it has a valid Kia Connect subscription,” said security researchers Neiko Rivera, Sam Curry, Justin Reinhart and Ian Carroll.
The issue affects nearly all vehicles manufactured since 2013 and could also allow attackers to covertly access sensitive information such as victims’ names, phone numbers, email addresses and addresses.
Essentially, this could be exploited by an adversary to add themselves as an “invisible” second user of the car, without the owner’s knowledge.
At the core of the research is that this issue exploits Kia dealer infrastructure used for vehicle activation (“kiaconnect.kdealer(.)com”) to register fake accounts and generate access tokens via HTTP requests.
This token is then used in combination with another HTTP request to the dealer APIGW endpoint and the car’s Vehicle Identification Number (VIN) to retrieve the car owner’s name, phone number, and email address.
Additionally, the researchers discovered that they could gain access to a victim’s vehicle by simply issuing four HTTP requests and ultimately executing commands to the vehicle from the internet.
Generate a dealer token and retrieve the “token” header from the HTTP response using the method described above. Retrieve the victim’s email address and phone number. Modify the owner’s previous access using the leaked email address and VIN number to add the attacker as the primary account owner. Add the attacker to the victim’s vehicle by adding an attacker-controlled email address as the primary owner of the vehicle, allowing them to execute arbitrary commands.
“Victims were not notified that their vehicles had been accessed or that their access permissions had been changed,” the researchers noted.
“An attacker could resolve someone’s license plate number, input the VIN through an API, passively track them, and send active commands like unlock, start, honk, etc.”
In a hypothetical attack scenario, a malicious actor could enter the license plate number of a Kia vehicle into a custom dashboard, obtain the victim’s information, and then execute commands on the vehicle about 30 seconds later.
Following responsible disclosure in June 2024, the flaws were fixed by Kia as of August 14, 2024. There is no evidence that these vulnerabilities have been exploited in the wild.
“Cars will continue to be vulnerable because, just as meta could introduce code changes that could allow someone to take over a Facebook account, car manufacturers could do the same with their cars,” the researchers said.
Did you find this article interesting? Follow us Twitter: To read more exclusive content we post, check us out on LinkedIn.
Source link
