A gaggle of safety researchers found important flaws in Kia’s supplier portal that might let hackers find and steal hundreds of thousands of Kia vehicles made after 2013 utilizing simply the focused automobile’s license plate.
Virtually two years in the past, in 2022, a few of the hackers on this group, together with safety researcher and bug bounty hunter Sam Curry, discovered different important vulnerabilities impacting over a dozen automotive corporations that might’ve allowed criminals to remotely find, disable starters, unlock, and begin over 15 million automobiles made by Ferrari, BMW, Rolls Royce, Porsche, and different carmakers.
At the moment, Curry revealed that the Kia net portal vulnerabilities found on June eleventh, 2024, could possibly be exploited to manage any Kia automobile outfitted with distant {hardware} in underneath 30 seconds, “no matter whether or not it had an energetic Kia Join subscription.”
The issues additionally uncovered automotive homeowners’ delicate private data, together with their identify, telephone quantity, e-mail handle, and bodily handle, and will have enabled attackers so as to add themselves as a second consumer on the focused automobiles with out the homeowners’ information.
To additional reveal the difficulty, the group constructed a instrument displaying how an attacker may enter a automobile’s license plate and, inside 30 seconds, remotely lock or unlock the automotive, begin or cease it, honk the horn, or find the automobile.
The researchers registered a supplier account on Kia’s kiaconnect.kdealer.com supplier portal to achieve entry to this data.
As soon as authenticated, they generated a sound entry token that gave them entry to backend supplier APIs, giving them important particulars concerning the automobile proprietor and full entry to the automotive’s distant controls.
They discovered that attackers may use the backend supplier API to:
- Generate a supplier token and retrieve it from the HTTP response
- Entry the sufferer’s e-mail handle and telephone quantity
- Modify the proprietor’s entry permissions utilizing leaked data
- Add an attacker-controlled e-mail to the sufferer’s automobile, permitting for distant instructions
“The HTTP response contained the automobile proprietor’s identify, telephone quantity, and e-mail handle. We had been capable of authenticate into the supplier portal utilizing our regular app credentials and the modified channel header,” Curry stated.
From there, attackers may enter a automobile’s VIN (automobile identification quantity) by the API and remotely observe, unlock, begin, or honk the automotive with out the proprietor’s information.
The Kia net portal flaws allowed silent, unauthorized entry to a automobile since, as Curry defined, “from the sufferer’s facet, there was no notification that their automobile had been accessed nor their entry permissions modified.”
“These vulnerabilities have since been fastened, this instrument was by no means launched, and the Kia group has validated this was by no means exploited maliciously,” Curry added.
