Cybersecurity researchers identified critical vulnerabilities in Kia vehicles, revealing that attackers could remotely control cars using only a license plate number. The vulnerabilities were first identified in June this year and have since been patched, but the potential impact has raised serious concerns about vehicle security.
Hacked in 30 Seconds
On 11 June 2024, a team of hackers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll) uncovered flaws in Kia’s vehicle systems that allowed them to execute commands on a car by entering its license plate.
Within 30 seconds, they could control various vehicle functions, including unlocking doors, disabling the starter, and retrieving personal information such as the owner’s name, email, and home address.
The vulnerability was not limited to vehicles equipped with Kia Connect, a service offering remote features like GPS tracking and climate control. Even cars without an active subscription were susceptible.
The researchers built a tool to demonstrate how easily the exploit could be executed but responsibly refrained from releasing it to the public. According to the Kia team, there have been no confirmed instances of malicious exploitation.
Vulnerabilities and Exploit Details
The team, which had previously identified weaknesses in other car manufacturers’ systems, decided to revisit Kia. Focusing on both the Kia Connect mobile app and the dealership infrastructure, they discovered a way to manipulate the back-end system that handled vehicle commands.
By registering a fake dealer account through Kia’s dealer website, attackers could generate access tokens that allowed them to take control of any Kia vehicle linked to the system. This method enabled them to demote the legitimate owner and add themselves as a primary user, granting full control over the vehicle.
Industry Reaction
The findings were reminiscent of a previous vulnerability in 2023 that affected millions of vehicles across several manufacturers. The Security Ledger founder, Paul Roberts, testified about the risks in a US congressional hearing. With this new Kia exploit, vehicle cybersecurity is once again under the microscope, raising questions about how manufacturers are securing modern, connected cars.
Kia has addressed the issue, patching the vulnerabilities and ensuring no further incidents occur. However, the incident highlights the growing need for robust cybersecurity in the automotive industry as more vehicles become dependent on digital systems and internet connectivity.
Mobile App, Backend API Security
“This shows how mobile app security and backend API security must be considered together,” comments George McGregor, VP of Approov Mobile Security. “The attacker was able to copy the app’s behavior, and the backend checks were not sufficient to distinguish these requests from those from a valid app.
McGregor says the API needs contextual information about what is going on in the device and the app to prevent this sort of vulnerability from being exploited. The assessment of device and app needs should also be thorough and continuous to ensure that every request is validated as legitimate.
He says an effective app attestation solution can easily stop unauthorized apps, bots, cloned mobile apps, or scripts from accessing APIs and provide a zero-trust approach that prevents this type of exploit.
What’s Next for Automotive Security?
As cars become more interconnected, the threat of cyberattacks on vehicles is no longer a distant possibility. This latest discovery stresses the need for stringent security measures and oversight to protect consumers from potential breaches.
Kia’s swift response and resolution may offer some relief to owners, but the overall security of smart vehicles remains a concern for manufacturers and consumers.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.