Kia portal flaw exposes millions of vehicles to hacking risk

By
September 30, 2024
Kia Car Dealership Data Theft Web Portal Cyberattack Hackers

The Kia dealer site has allegedly shown a vulnerability that could allow threat actors to hack and steal millions of units. Based on reports, the hackers can find and steal Kia vehicles manufactured after 2013 using only the target vehicle’s license plate.

Researchers disclosed earlier this week that the Kia web portal vulnerabilities have existed since June 11th, 2024. Unauthorised individuals could use the bug to take control of any Kia car equipped with remote hardware in less than 30 seconds, regardless of whether it had an active Kia Connect membership.

The flaws also revealed the car owners’ sensitive personal information, such as their name, phone number, email address, and physical address, allowing attackers to enrol themselves as a second user on vulnerable vehicles without an owner’s consent.

 

The Kia site vulnerability is exploitable within 30 seconds.

 

The investigation allowed the researchers to demonstrate how a hacker can enter a Kia license plate and remotely lock or unlock a vehicle within 30 seconds. Moreover, the demo also showed that the researchers could start or stop, honk the horn, or locate the cars using the flaw.

The researchers started their demo by acquiring information by creating a dealer account on Kia’s kiaconnect[.]kdealer[.]com dealer site. Once validated, they generated a valid access token that granted them access to backend dealer APIs. These APIs provided essential information on the vehicle owner and complete power over the car’s remote controls.

The reports stated that the attackers could exploit the backend dealer API to generate and obtain a dealer token from the HTTP response, get the victim’s email address and phone number, modify the owner’s access permissions using disclosed information, and add an attacker-controlled email to the victim’s vehicle, enabling remote commands.

Furthermore, the HTTP response included the vehicle owner’s name, phone number, and email address. The investigators also explained that they could authenticate into the dealer portal using their standard app credentials and the changed channel header.

Hence, a potential attacker might use the API to remotely track, unlock, start, or honk a vehicle without the owner’s knowledge.

These vulnerabilities have now been addressed, the tool was never publicly exposed, and the Kia team has confirmed that it was never intentionally misused.

About the author

Leave a Reply