Kia not too long ago addressed a severe safety vulnerability, risking its vehicles. The vulnerability existed within the Kia seller portal, permitting an adversary to entry victims’ private info and take management of the goal automobile.
Safety Flaw Patched In Kia Supplier Portal
Safety researcher Sam Curry not too long ago shared insights a few severe vulnerability threatening the safety of Kia vehicles and their customers.
Particularly, Curry and the staff observed that an adversary may goal any Kia automobile utilizing its license plate. The vulnerability existed as a result of coming into this element within the Kia seller portal may enable quick entry to the goal automobile’s system. This, in flip, would enable the attacker to execute numerous instructions, reminiscent of unlocking the automobile, which risked automobile theft, beginning/stopping the automobile, and extra. Moreover, the attacker may additionally entry the automobile proprietor’s private info and add himself because the automobile’s second proprietor with out alerting the sufferer.
The problem impacted Kia’s area “kiaconnect.kdealer.com,” the seller portal for automobile registration. An adversary may register a seller account on this area and generate entry tokens for automobile registration.
The researchers may register a seller account utilizing the identical HTTP request used to register on Kia Proprietor’s web site, “house owners.kia.com.” As soon as accomplished, the researchers may name the backend seller APIs to get the automobile proprietor’s info, together with identify, contact quantity, and electronic mail deal with.
Additional, the researchers may additionally entry different endpoints governing automobile enrollments and modifications. Consequently, they might entry the goal automobile’s system, add/delete/modify the automobile proprietor, and ship arbitrary instructions to the automobile.
The researchers shared the small print of this assault in a publish, demonstrating the exploit within the following video.
This vulnerability affected Kia automobiles “no matter an energetic Kia Join subscription,” thus enhancing the risk radius. The researchers have additionally shared an inventory of all automobiles affected by this flaw.
Following this discovery, the researchers contacted Kia in June 2024. The researchers even developed a software to exhibit the exploit throughout their communication. Finally, in August 2024, Kia confirmed patching the flaw, which the researchers additionally validated.
Tell us your ideas within the feedback.