A gaggle of safety researchers found vital flaws in Kia’s seller portal that might let hackers find and steal thousands and thousands of Kia vehicles made after 2013 utilizing simply the focused car’s license plate.
Nearly two years in the past, in 2022, among the hackers on this group, together with safety researcher and bug bounty hunter Sam Curry, discovered different vital vulnerabilities impacting over a dozen automobile firms that might’ve allowed criminals to remotely find, disable starters, unlock, and begin over 15 million automobiles made by Ferrari, BMW, Rolls Royce, Porsche, and different carmakers.
At the moment, Curry revealed that the Kia net portal vulnerabilities found on June eleventh, 2024, could possibly be exploited to regulate any Kia car outfitted with distant {hardware} in underneath 30 seconds, “no matter whether or not it had an energetic Kia Join subscription.”
The issues additionally uncovered automobile homeowners’ delicate private info, together with their identify, cellphone quantity, electronic mail tackle, and bodily tackle, and will have enabled attackers so as to add themselves as a second consumer on the focused automobiles with out the homeowners’ information.
To additional show the difficulty, the group constructed a device exhibiting how an attacker might enter a car’s license plate and, inside 30 seconds, remotely lock or unlock the automobile, begin or cease it, honk the horn, or find the car.
The researchers registered a seller account on Kia’s kiaconnect.kdealer.com seller portal to realize entry to this info.
As soon as authenticated, they generated a legitimate entry token that gave them entry to backend seller APIs, giving them vital particulars in regards to the car proprietor and full entry to the automobile’s distant controls.
They discovered that attackers might use the backend seller API to:
- Generate a seller token and retrieve it from the HTTP response
- Entry the sufferer’s electronic mail tackle and cellphone quantity
- Modify the proprietor’s entry permissions utilizing leaked info
- Add an attacker-controlled electronic mail to the sufferer’s car, permitting for distant instructions
“The HTTP response contained the car proprietor’s identify, cellphone quantity, and electronic mail tackle. We had been in a position to authenticate into the seller portal utilizing our regular app credentials and the modified channel header,” Curry stated.
From there, attackers might enter a car’s VIN (car identification quantity) by the API and remotely monitor, unlock, begin, or honk the automobile with out the proprietor’s information.
The Kia net portal flaws allowed silent, unauthorized entry to a car since, as Curry defined, “from the sufferer’s aspect, there was no notification that their car had been accessed nor their entry permissions modified.”
“These vulnerabilities have since been fastened, this device was by no means launched, and the Kia group has validated this was by no means exploited maliciously,” Curry added.