Summary
- A flaw in Kia’s dealer system allowed attackers to remotely unlock and start any Kia using just a license plate number
- This vulnerability was patched by Kia in about two months
- The flaw highlights a major issue with automotive security in the connected car industry
- The attacker, Sam Curry, discovered the flaw through Kia Connect and took advantage of the KDealer API
- The good news is that Kia has already fixed the issue, and it has not been used maliciously in the wild.
Article
Kia’s Vulnerability to Remote Hacking
A flaw in Kia’s dealer system allowed attackers to remotely unlock and start any Kia using just a license plate number. This vulnerability was patched by Kia in about two months, highlighting the importance of automotive security in the connected car sector. This flaw adds to several security issues Kia has faced, including the Kia Boys exploit and the use of new devices to target Korean cars.
The Power of the Kiatool
Sam Curry, a security researcher with a focus on the automotive sector, developed the Kiatool which exploited a flaw in Kia Connect to hack into virtually every connected Kia sold in the United States over the last decade. This attack took advantage of an API flaw that allowed Curry to impersonate a dealership and gain remote access to the cars using the VIN obtained through a license plate. The Kiatool demonstrated the ease and speed with which attackers can compromise Kia vehicles.
Understanding the Exploited API
The attack on Kia vehicles exploited Kia’s Application Programming Interface (API), which allowed authenticated users to send commands to Kia’s servers to control the vehicles remotely. Curry identified a flaw in the KDealer API, used by dealers to assign new cars to owners, that enabled him to impersonate a dealership and gain access to the cars using the VIN obtained from a license plate. This flaw exposed a critical security vulnerability in Kia’s network.
The Risks and Privacy Implications
The Kia vulnerability posed serious risks to the security and privacy of Kia vehicle owners. Attackers could unlock and start the cars with just the license plate, enabling potential theft without the owner’s knowledge. Additionally, the exploit allowed access to owner information, including name, phone number, email address, location of the vehicle, and the ability to remotely access the vehicle’s cameras. This raised concerns about privacy breaches and potential malicious activities.
The Quick Fix and Ethical Disclosure
Kia promptly fixed the vulnerability after Curry ethically disclosed the flaw to the automaker. The flaw was patched within two months of discovery, and the issue was not exploited in the wild before it was fixed. This quick response from Kia highlights the importance of proactive security measures in addressing vulnerabilities in connected cars. Curry’s responsible disclosure allowed Kia to patch the flaw before any malicious actors could exploit it.
Lessons Learned for Connected Cars
The Kia vulnerability serves as a reminder of the cybersecurity risks associated with connected cars. As more vehicles become connected to the internet, the potential for security vulnerabilities and real-world consequences increases. This case underscores the need for robust security measures in automotive systems to protect vehicles and data from malicious attacks. By addressing vulnerabilities promptly and transparently, automakers can uphold consumer trust in the safety and security of connected vehicles.
Read the full article here
