Summary
Critical vulnerabilities in Kia’s dealer site were found by a team of security experts, which might allow hackers to find and steal millions of Kia vehicles manufactured after 2013 by simply using the licence plate of the vehicle being targeted.
Sensitive personal information about vehicle owners, such as their name, phone number, email address, and physical address, was also made public by the vulnerabilities.
The Kia team has confirmed that this tool was never intentionally used, and these vulnerabilities have since been patched.
About the Research & Devlopment
Security researchers, including Sam Curry, found a collection of vulnerabilities in Kia cars on June 11th, 2024, that allowed for remote control of important features with just a licence plate. In roughly thirty seconds, these attacks could be carried out remotely on any hardware-equipped car, even if it did not have a current Kia Connect subscription.
Hackers could have executed out a wide range of illegal tasks with the vulnerabilities, such as tracking and unlocking cars.
Popular brands like Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Genesis, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota, Jaguar, and Land Rover were among the automobiles with defects found by the specialists. The research team also found problems with Spireon, SiriusXM, and Reviver’s services.
Tool For The Trade
Researchers created a tool to show the consequences of these vulnerabilities, where an attacker could simply enter a Kia vehicle’s licence plate and, after about 30 seconds, execute commands on the vehicle.
“We built a tool to demonstrate the impact of these vulnerabilities where an attacker could simply (1) enter the license plate of a Kia vehicle, then (2) execute commands on the vehicle after around 30 seconds.”
Exploiting Features : Client Registration (kiaconnect.kdealer.com)
The researchers also looked into the car activation procedures used by Kia for new customers. They learnt that in order for the clients to register their car or add it to their Kia account, Kia would issue a registration link to their email addresses. Upon examining the URL, the experts discovered that new car registrations are handled through kiaconnect.kdealer.com, a previously unidentified domain that requires a token and VIN number.
https://kiaconnect.kdealer.com/content/kDealer/en/kiauser.html?token=dealer_generated_access_token&vin=example_vin&scenarioType=3
In order to send user commands to the backend server (api.owners.kia.com), which carried out the commands, the website employed a reverse proxy. The mobile app, on the other hand, made direct use of the API. The way the website proxies an API call to unlock a car door was illustrated by an example HTTP request.
Exploiting Features : Unlocking Door
On the website “owners.kia.com,” there is an HTTP request to unlock a car door.
POST /apps/services/owners/apigwServlet.html HTTP/2
Host: owners.kia.com
Httpmethod: GET
Apiurl: /door/unlock
Servicetype: postLoginCustomer
Cookie: JSESSIONID=SESSION_TOKEN;They learnt how to take advantage of enrolment, unenrollment, and vehicle modification endpoints to obtain unauthorised access to a victim’s vehicle by examining Kia’s JavaScript code.
dealerVehicleLookUp() {
this.displayLoader = !0, this.vinToEnroll = "eDelivery" != this.entryPoint ? this.vinToEnroll.replace(/\s/g, "") : this.userDetails.vin, "17" == this.vinToEnroll.length && this.landingPageService.postOffice({
vin: this.vinToEnroll
}, "/dec/dlr/dvl", "POST", "postLoginCustomer").subscribe(i => {
i && (i.hasOwnProperty("body") && "0" == i.body.status.statusCode ? this.processDvlData(i.body) : "1003" == i.body.status.errorCode && "kia-dealer" == this.entryPoint ? this.reRouteSessionExpire() : (this.displayLoader = !1, this.alertMessage = i.body.status.errorMessage, document.getElementById("triggerGeneralAlertModal").click()))
})
}
The good news is that the car manufacturer has addressed the problems that the researchers brought to their attention. As far as Kia is aware, no outside attack has taken use of these vulnerabilities.
