Hackers Could Have Remotely Controlled Kia Cars Using Only License Plates

pCybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia vehicles that if successfully exploited could have allowed remote control over key functions simply by using only a license plateppThese attacks could be executed remotely on any hardwareequipped vehicle in about 30 seconds regardless of whether it had an active Kia Connect subscription security researchers Neiko Rivera Sam Curry Justin Rhinehart and Ian Carroll saidppThe issues impact almost all vehicles made after 2013 even letting attackers covertly gain access to sensitive information including the victims name phone number email address and physical addressppEssentially this could then be abused by the adversary to add themselves as an invisible second user on the car without the owners knowledgeppThe crux of the research is that the issues exploit the Kia dealership infrastructure kiaconnectkdealercom used for vehicle activations to register for a fake account via an HTTP request and then generate access tokensppThe token is subsequently used in conjunction with another HTTP request to a dealer APIGW endpoint and the vehicle identification number VIN of a car to obtain the vehicle owners name phone number and email addressppWhats more the researchers found that its possible to gain access to a victims vehicle by as trivially as issuing four HTTP requests and ultimately executing internettovehicle commands ppFrom the victims side there was no notification that their vehicle had been accessed nor their access permissions modified the researchers pointed outppAn attacker could resolve someones license plate enter their VIN through the API then track them passively and send active commands like unlock start or honkppIn a hypothetical attack scenario a bad actor could enter the license plate of a Kia vehicle in a custom dashboard retrieve the victims information and then execute commands on the vehicle after around 30 secondsppFollowing responsible disclosure in June 2024 the flaws were addressed by Kia as of August 14 2024 There is no evidence that these vulnerabilities were ever exploited in the wildppCars will continue to have vulnerabilities because in the same way that Meta could introduce a code change which would allow someone to take over your Facebook account car manufacturers could do the same for your vehicle the researchers saidppProtect your organization from AI risks with expert insights on security and innovation in app developmentppDiscover effective PAS strategies to secure privileged accounts reduce attack surfaces and outpace cyber threatsppGet the latest news expert insights exclusive resources and strategies from industry leaders all for freep