In a recent discovery, a critical vulnerability in Kia vehicles has been brought to light, illustrating the alarming risk of cyberattacks on connected cars. This vulnerability allowed hackers to remotely control various functions of Kia vehicles solely using the license plate information. The potential for unauthorized access to these vehicles through exploitation of the Kia dealership infrastructure was uncovered by security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll.
The attack method involved hackers remotely registering for a fake account and generating access tokens to access a dealer APIGW endpoint in combination with the vehicle’s VIN. This exploit could enable them to obtain the owner’s personal information such as name, phone number, and email address. Furthermore, hackers could potentially add themselves as an “invisible” second user on the car without the owner’s knowledge. This series of vulnerabilities could allow attackers to execute commands and control key functionalities of the vehicle.
The impacted functionalities included the ability to remotely lock/unlock the doors, geolocate the vehicle, start/stop the engine, activate the horn and lights, and in some cases, access the car’s cameras. Through a sequence of HTTP requests and internet-to-vehicle commands, hackers could take control of the vehicle remotely, posing a significant threat to the security of Kia vehicle owners. The exploit affected a wide range of Kia models manufactured after 2013, putting a substantial number of cars at risk of potential malicious attacks.
Following a responsible disclosure in July 2024, Kia promptly addressed these vulnerabilities in August 2024. Although there is no evidence of exploitation in the wild, researchers caution that similar vulnerabilities could be introduced by car manufacturers, posing a similar threat to other connected cars. As the automotive industry embraces increasing connectivity in vehicles, it becomes crucial for manufacturers to prioritize robust security measures to safeguard customers from potential cyber threats.
Security experts, such as Akhil Mittal, emphasized the urgency for the automotive industry to tackle these high-tech threats seriously. The incident with Kia vehicles serves as a red flag for the industry, signaling the shift from physical theft to digital exploitation in modern cars. The need for regular software updates, enhanced encryption, and improved communication with drivers is critical to protect vehicles from cybercriminals aiming to exploit vulnerabilities for malicious purposes.
In conclusion, the discovery of vulnerabilities in Kia vehicles underscores the growing importance of cybersecurity in the automotive industry. As cars become more interconnected and technologically advanced, ensuring robust security measures is imperative to protect against potential cyberattacks that could compromise the safety and privacy of vehicle owners. The swift response from Kia to address these vulnerabilities highlights the significance of proactive security measures in safeguarding connected vehicles in an increasingly digital world.