Friend
Professional
- Messages
- 2,653
- Reaction score
- 837
- Points
- 113
A license plate is everything a hacker needs to know to access your vehicle.
Security researchers have discovered critical vulnerabilities in Kia's dealer portal, allowing attackers to steal parked cars of this brand without noise and dust. The identified problems make it possible to hack any models of the South Korean brand released after 2013, using only the license plate of the car.
For the first time in 2022, security researchers, including "vulnerability hunter" Sam Curry, identified critical gaps in the digital systems of more than a dozen car brands. At that time, vulnerabilities allowed attackers to remotely detect, block, unlock and even start the engine of more than 15 million cars of premium brands such as Ferrari, BMW, Rolls Royce and Porsche.
This time, Curry said that the holes discovered on June 11 of this year in the Kia Connect portal opened access to the control of any Kia car with remote equipment, even if it did not have an activated Kia Connect subscription.
In addition, the vulnerabilities revealed personal data of car owners, including name, phone, email, and physical address. Attackers could also add themselves to the system as a second user without the owner's knowledge.
To demonstrate the problem, a team of researchers created a tool that allowed them to add cars to their "virtual garage" with just a license plate, and then remotely lock, unlock, start or stop the engine, honk or locate the car on the map.
By connecting to the Kia dealer portal ("kiaconnect.kdealer.com"), the specialists registered a privileged account and generated a valid access token. This token made it possible to use the dealer backend API, providing critical information about car owners and full control over remote machine functions.
Attackers could use this API to gain the following capabilities:
Due to the identified breaches, unauthorized access to the car could be carried out covertly, since the owner did not receive notifications about the break-in, nor notifications that access rights had been changed.
However, all vulnerabilities have already been fixed. According to Curry, the tool demonstrating the hack has never been published online, and the Kia team has confirmed that the flaws found were not used for malicious purposes.
Source
Security researchers have discovered critical vulnerabilities in Kia's dealer portal, allowing attackers to steal parked cars of this brand without noise and dust. The identified problems make it possible to hack any models of the South Korean brand released after 2013, using only the license plate of the car.
For the first time in 2022, security researchers, including "vulnerability hunter" Sam Curry, identified critical gaps in the digital systems of more than a dozen car brands. At that time, vulnerabilities allowed attackers to remotely detect, block, unlock and even start the engine of more than 15 million cars of premium brands such as Ferrari, BMW, Rolls Royce and Porsche.
This time, Curry said that the holes discovered on June 11 of this year in the Kia Connect portal opened access to the control of any Kia car with remote equipment, even if it did not have an activated Kia Connect subscription.
In addition, the vulnerabilities revealed personal data of car owners, including name, phone, email, and physical address. Attackers could also add themselves to the system as a second user without the owner's knowledge.
To demonstrate the problem, a team of researchers created a tool that allowed them to add cars to their "virtual garage" with just a license plate, and then remotely lock, unlock, start or stop the engine, honk or locate the car on the map.
By connecting to the Kia dealer portal ("kiaconnect.kdealer.com"), the specialists registered a privileged account and generated a valid access token. This token made it possible to use the dealer backend API, providing critical information about car owners and full control over remote machine functions.
Attackers could use this API to gain the following capabilities:
- Generate a dealer token and get it from an HTTP response;
- Get access to the email and phone number of the car owner;
- Change access rights using the received data;
- Add your own email address to your car account to drive your car remotely.
Due to the identified breaches, unauthorized access to the car could be carried out covertly, since the owner did not receive notifications about the break-in, nor notifications that access rights had been changed.
However, all vulnerabilities have already been fixed. According to Curry, the tool demonstrating the hack has never been published online, and the Kia team has confirmed that the flaws found were not used for malicious purposes.
Source