On June 11, 2024, a group of independent security researchers uncovered critical vulnerabilities in Kia vehicles that allowed for remote control of key functionalities—using nothing more than a vehicle’s license plate.
The researchers revealed that attackers could execute remote commands on affected vehicles within 30 seconds, regardless of the status of Kia Connect subscriptions. This discovery also meant that an attacker could obtain sensitive personal information about vehicle owners, including names, phone numbers, and physical addresses, potentially allowing them to add themselves as unseen second users on the vehicles without the owners’ consent.
Although Kia has since patched these vulnerabilities, the incident sets a precedent for broader issues within the automotive industry regarding cybersecurity and data protection.
Identifying Vulnerabilities
The research team—comprised of Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll—has a track record of identifying vulnerabilities across multiple automotive brands. Their investigation into Kia began with a focus on the owners.kia.com website and the Kia Connect mobile app, platforms that facilitate command execution on vehicles via the internet. The researchers found that while the mobile app communicated directly with the API, the website used a backend reverse-proxy to relay commands. This architectural flaw opened a pathway for exploitation, prompting further investigation into Kia’s dealer infrastructure.
Targeting Dealer Infrastructure
The researchers discovered that Kia’s vehicle activation process for new purchases required customers to provide their email addresses at the dealership. They could then receive a registration link to either create a new account or add a vehicle to an existing account. By analyzing the registration links, the researchers identified an intriguing endpoint on the kiaconnect.kdealer.com domain—an area previously unexplored. The researchers proceeded to assess how this endpoint operated, discovering a one-time access token system that Kia dealers used to grant access to vehicles. With this newfound knowledge, the researchers experimented with the Kia dealer portal, probing the infrastructure to determine if they could leverage their access to manipulate vehicle controls.
Uncovering the Exploitation Path
After several attempts, the team successfully registered as a dealer and generated an access token, allowing them to send requests to restricted dealer APIs. This access facilitated a sequence of commands that could be executed to take control of a victim’s vehicle. The vulnerabilities they uncovered provided a clear attack vector, enabling an unauthorized user to gain access to personal data tied to the vehicle, including the owner’s name, phone number, and email address. This discovery caused concern not just for Kia, but for the entire automotive sector, emphasizing how critical security in vehicle software has become.
In a compelling demonstration shown below, Sam Curry showcased the KiaTool, an open-source utility developed by the research team, that can unlock Kia vehicles with minimal effort.
Summary of the Flaws in API, Token Handling, and Data Protection
- Insecure API Communication: The Kia Connect app’s reliance on insecure API calls raised immediate red flags. The application failed to implement adequate verification processes, allowing attackers armed with just the vehicle’s license plate to send commands without authentication. During the demo, Curry illustrated how, with the KiaTool, he could easily send requests to the API without any checks in place.
- Authentication Bypass: The team uncovered a critical flaw in the vehicle registration process. When vehicle owners purchased their cars, they were required to submit their email addresses to dealerships. This information facilitated the sending of registration links to users. However, the researchers identified that by reverse-engineering these links, they could bypass standard authentication protocols. Curry’s demonstration highlighted this flaw, showing how a simple email manipulation could grant access to vehicle controls—essentially sidestepping the need for legitimate account creation.
- Access Token Exploitation: The researchers delved deeper into the access token system used for dealer operations. They discovered that the one-time access tokens generated for dealership transactions were not adequately protected. After gaining access to the dealer portal by registering as a dealer, the team successfully created a dealer account, generating valid access tokens that provided unauthorized access to dealer APIs. In his demonstration, Curry executed remote commands on a locked vehicle, showcasing the profound implications of this access token vulnerability—commanding the car to unlock with a few clicks.
- Data Leakage: In addition to remote control, the vulnerabilities allowed attackers to extract sensitive personal information linked to vehicle owners. This included names, phone numbers, and email addresses—data that could be weaponized for targeted phishing attacks or harassment. Curry emphasized the potential for this information to facilitate identity theft and physical vehicle theft, a significant concern for vehicle owners.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
