• Cyber Syrup
  • Posts
  • Critical Vulnerabilities in Kia Vehicles: Understanding the Risks and Impact

Critical Vulnerabilities in Kia Vehicles: Understanding the Risks and Impact

Cybersecurity researchers have uncovered vulnerabilities in Kia vehicles that could have allowed attackers to control vehicle functions by using only a car’s license plate

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Critical Vulnerabilities in Kia Vehicles: Understanding the Risks and Impact

Cybersecurity researchers have uncovered a series of now-patched vulnerabilities in Kia vehicles that, if exploited, could have allowed attackers to remotely control key vehicle functions by simply using a car’s license plate. This discovery underscores the growing risks associated with connected cars, especially as they become more integrated with digital networks.

Understanding the Vulnerability

The vulnerabilities, which affected nearly all Kia vehicles manufactured after 2013, were disclosed by researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll. These flaws could be exploited remotely in about 30 seconds, allowing attackers to gain unauthorized control over vehicles even if the owner did not have an active Kia Connect subscription.

The potential attack was based on vulnerabilities within the Kia dealership infrastructure, particularly within the system used for activating vehicles (kiaconnect.kdealer.com). By manipulating this system, attackers could register for a fake account through an HTTP request, generate an access token, and use it to retrieve sensitive vehicle and owner information.

From there, the attackers could exploit the system to:

  • Gain access to the vehicle owner's personal information (name, phone number, email address, and physical address).

  • Add themselves as an invisible second user on the victim's vehicle without the owner's knowledge.

  • Use the vehicle identification number (VIN) and other data to send remote commands such as unlocking the vehicle, starting the engine, or honking the horn.

A total of just four HTTP requests were necessary to carry out these actions, which included:

  1. Generating a dealer token and retrieving it from the HTTP response.

  2. Fetching the victim’s email address and phone number.

  3. Modifying the vehicle’s access permissions, including adding the attacker as the primary account holder.

  4. Issuing remote commands to the vehicle, such as unlocking or starting it.

Worryingly, these actions could be performed without alerting the vehicle owner—there was no notification that their car had been accessed or their access permissions modified.

Who is at Risk?

The vulnerabilities impacted almost all Kia vehicles made after 2013, placing a vast number of car owners at risk. Since the vulnerabilities allowed remote control without requiring physical access to the car, any Kia vehicle could be a target. This risk was particularly significant for owners of newer vehicles equipped with Kia’s connected car technologies, as attackers could potentially access critical car functions such as unlocking, starting the vehicle, or tracking its location.

Additionally, because the flaw required only a license plate and VIN number—both of which are publicly accessible on parked cars—any Kia vehicle on the road or in a parking lot could have been susceptible to attack.

How to Protect Yourself

While Kia has since patched the vulnerabilities as of August 2024, it’s essential for car owners to remain vigilant and take steps to protect themselves in the future. Here are a few best practices:

  1. Update Your Vehicle Software: Just as you would with a smartphone or computer, it’s crucial to keep your vehicle’s software updated. Car manufacturers regularly release security updates to patch vulnerabilities, so ensuring your vehicle is running the latest software can protect against emerging threats.

  2. Monitor for Suspicious Activity: If your vehicle supports connected services, regularly monitor its activity. If you notice any unusual behavior, such as unauthorized access or unexpected commands, contact your dealer immediately.

  3. Use Strong, Unique Credentials: Ensure that any connected vehicle apps or services you use are protected by strong, unique passwords. Avoid reusing passwords across different platforms to reduce the risk of credential theft.

  4. Be Cautious of Third-Party Apps: Only use official applications from the vehicle manufacturer. Third-party apps may not have the same level of security and could expose you to additional risks.

  5. Contact Your Manufacturer for Support: If you’re concerned about the security of your vehicle, reach out to the manufacturer or dealership for advice. They can help verify that your vehicle has the latest updates and recommend any additional steps you can take to protect your data.

Conclusion

The vulnerabilities discovered in Kia vehicles highlight the growing risks associated with connected cars. While Kia has addressed the issue and there is no evidence of these flaws being exploited in the wild, the incident serves as a reminder that even our cars are vulnerable to cyberattacks. Car owners must remain proactive in securing their vehicles by regularly updating software and staying informed about potential risks. Just as with any other connected device, vigilance and proper security practices are key to protecting both personal information and physical safety.