Cybersecurity researchers have disclosed critical vulnerabilities in Kia vehicles that could have allowed attackers to remotely control key vehicle functions using just the car’s license plate number. The vulnerabilities, which have now been patched, potentially affected almost all Kia vehicles manufactured after 2013.

The security flaws, discovered by Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll, could be exploited in as little as 30 seconds, enabling adversaries to manipulate vehicle systems such as door locks, engine start/stop, and more. Worryingly, these attacks could be executed remotely, even if the car owner did not have an active Kia Connect subscription.

The nature of this vulnerability highlights how deeply intertwined software, hardware, and third-party infrastructures (like dealership systems) can become. Even though the car may have been physically secure, its digital systems were vulnerable through the dealership network, creating a novel attack surface.

These kinds of issues underscore the importance of end-to-end security in the automotive industry—from vehicle software to the backend systems used by dealerships. Robust authentication protocols, secure token management, and encrypted communications are all necessary safeguards that should be implemented across the entire infrastructure to prevent such attacks.

“Cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to take over your Facebook account, car manufacturers could do the same for your vehicle,” they said. This statement emphasizes the growing complexity of modern vehicles and the need for constant vigilance and updates to protect against new cybersecurity threats.

The flaws were responsibly disclosed by researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll in June 2024. Kia responded to the report and addressed the vulnerabilities by releasing patches on August 14, 2024. Importantly, there is no evidence that these vulnerabilities were ever exploited in real-world attacks before the patches were applied.

Technical Details:

1.Vulnerability Type:

• Improper Authentication

Impact: Attackers could register as users without proper authorization and use the system to gain control of vehicle functions.

CWE-287: Improper Authentication.

• . Insecure Direct Object Reference (IDOR)

Impact: Attackers could access or control vehicles they didn’t own by simply knowing or guessing a VIN number.

CWE-639: Authorization Bypass Through User-Controlled Key (IDOR).

• API Misconfiguration

Impact: API requests related to critical vehicle controls and personal information were accepted without proper validation.

CWE-220: Exposure of Sensitive Information Through Insecure API.

• Lack of Rate Limiting

Impact: This increased the speed and efficiency of the attack, enabling rapid exploitation.

CWE-770: Allocation of Resources Without Limits or Throttling.

• Sensitive Data Exposure

Impact: This led to the exposure of private and identifiable information, risking identity theft and privacy breaches.

CWE-200: Exposure of Sensitive Information.

• Improper Session Management

Impact: Attackers could maintain unauthorized access to vehicle functions through session hijacking or token misuse.

       CWE-384: Session Fixation or Improper Session Management.

CVSS: 3.1 Base Score: 9.6 (Critical)

Affected Products:

1. Kia Vehicles (2013 and Newer)
   • • Kia Forte
     • Kia Sorento
     • Kia Sportage
     • Kia Optima
     • Kia Soul
     • Kia Carnival
     • Kia Stinger
2. Kia Connect System
3. Kia Dealership Infrastructure

Impact of vulnerability

This presents a highly sophisticated exploitation path that underscores how interconnected systems can be leveraged to bypass security barriers.

1. Abuse of Dealership Infrastructure:
   The vulnerability exploited the infrastructure used by Kia dealerships (kiaconnect.kdealer[.]com) for activating vehicles. The core issue lay in the fact that adversaries could register fake accounts via a manipulated HTTP request. This meant that the dealership system’s verification mechanisms for account creation were either weak or non existent, allowing attackers to circumvent security controls.
2. Token Generation and Usage:
   After successfully registering a fake account, the attacker would receive access tokens. These tokens serve as authentication keys, which would then allow the attacker to interact with other parts of Kia’s system. In this case, the token was used in a follow-up HTTP request to Kia’s dealer APIGW (API Gateway) endpoint. API Gateways typically manage communication between clients and back-end services, and here, it facilitated unauthorized access to sensitive vehicle-related data.
3. Vehicle Identification Number (VIN) Exploitation:
   Using the VIN of a targeted vehicle, attackers could then send HTTP requests to obtain the owner’s personal details, including name, phone number, and email address. Since the VIN is usually visible on vehicles (often displayed on the windshield), an adversary could easily gather the necessary data from the car itself and proceed to perform the attack.
4. “Invisible” Second User:
   One of the most concerning parts of this attack is that the adversary could effectively add themselves as a second, “invisible” user to the vehicle. With this access, they could control vehicle functions and even track the car’s location, all without the owner’s knowledge. This kind of stealthy access represents a severe breach of both vehicle and personal security.

 

Indicators of Compromise (IoCs)

The Kia vehicle vulnerability could be used to identify if an attack has taken place or if a system has been exploited. While this is a hypothetical IoC list based on the described vulnerabilities, here are some potential signs that an attack or compromise has occurred:

1. Unusual API Requests or Traffic:
   • Unfamiliar or unauthorized HTTP requests to Kia’s dealership infrastructure (kiaconnect.kdealer[.]com) from unrecognized sources.
   • Repeated API calls querying for VIN numbers, access tokens, or user-related data.
   • Abnormal frequency or volume of requests attempting to generate access tokens.

2. Suspicious Account Activity:

• Unexpected registration of new accounts, especially if done through unofficial channels, potentially tied to fake access tokens.
• Multiple users linked to the same vehicle, including accounts not recognized by the vehicle’s owner (e.g., an invisible second user).

3. Irregular Vehicle Behavior:

• Vehicle control functions being executed remotely without the owner’s initiation, such as unlocking doors, starting/stopping the engine, or altering climate settings.
• Unauthorized vehicle access logs, where actions such as door unlocking, starting the engine, or changing settings happen remotely or outside expected timeframes.

4. Unusual VIN-Linked Queries:

• Unexpected VIN lookups from third-party sources or requests for vehicle-related data that seem out of the norm.
• Logs showing frequent or anomalous use of VIN-related queries in the dealership or Kia Connect infrastructure.

5. Personal Data Requests:

• Unusual or repeated requests for the owner’s personal information (name, phone number, email address) associated with a vehicle via the dealer’s backend or Kia Connect system.
• Suspicious access to sensitive data by IP addresses not linked to authorized parties.

6 .Compromised Kia Connect Account:

• Alterations in Kia Connect app settings, such as changes to linked phone numbers, email addresses, or unusual login activity from unrecognized locations or devices.

7. Network Traffic Anomalies:

• High volumes of outbound traffic to dealership infrastructure APIs from IPs or regions not typically associated with legitimate users or dealerships.
• Unrecognized IP addresses interacting with Kia’s backend systems or using API gateways outside of normal patterns.

Anatomy of the Kia Vulnerability

The anatomy of the Kia vehicle vulnerability can be broken down into several key phases, outlining how the attack was possible, from initial access to full remote control of a vehicle. Here’s a step-by-step breakdown:

1. Initial Targeting via License Plate Number:

• Attack Vector: The attacker begins with only the license plate number of the targeted Kia vehicle.
• Purpose: The license plate number is used as a starting point to obtain the vehicle’s Vehicle Identification Number (VIN), which is critical for further exploitation.
• Data Exposure: The VIN is often easily visible on vehicles, making it accessible to an attacker in physical proximity to the car.

2. Exploitation of Kia’s Dealership Infrastructure:

• Vulnerable System: The core vulnerability was in the Kia dealership system (kiaconnect.kdealer[.]com), which lacked proper authentication and access controls.
• Account Creation: The attacker exploited this flaw by registering a fake account through a manipulated HTTP request to the backend, using the dealership’s API.
• Access Token Generation: After registering the account, the attacker could generate access tokens tied to the targeted vehicle’s VIN. These tokens were used to authenticate requests to control vehicle functions.

3. Use of Vehicle Identification Number (VIN) in API Requests:

• VIN Exposure: The attacker would use the VIN (obtained from the license plate or via API queries) to send HTTP requests to Kia’s API Gateway (APIGW).
• API Exploitation: By sending requests that included the VIN and the generated access tokens, the attacker could access sensitive information about the vehicle owner (e.g., name, phone number, email) and issue commands to the vehicle.
• Lack of Authorization: The system failed to properly validate whether the requesting user was authorized to access the VIN-associated vehicle data.

4. Sensitive Data Theft:

• Data Retrieval: Once authenticated, the attacker could retrieve sensitive personal information about the vehicle owner, such as:
  • Name
  • Phone number
  • Email address
  • Physical address
• Insecure Data Handling: The dealership infrastructure and API were vulnerable to data exposure due to insufficient access controls and weak token management.

5. Remote Command Execution on the Vehicle:

• API Command Injection: With access tokens and the VIN, the attacker could issue API requests to control various vehicle functions, such as:
  • Unlocking doors
  • Starting or stopping the engine
  • Altering climate control settings
• No Need for Kia Connect Subscription: These commands could be executed remotely, even if the owner did not have an active Kia Connect subscription, dramatically increasing the attack surface.

6. Maintaining Stealth and Persistence:

• Invisible Second User: In some cases, the attacker could add themselves as a “ghost” or second user to the vehicle without the owner’s knowledge. This allowed the attacker to maintain ongoing access and control over the vehicle.
• Covert Control: The attacker could operate the vehicle remotely without alerting the owner, allowing them to unlock or start the vehicle without physical interaction or triggering obvious signs of compromise.

7. Indicators of Compromise (IoCs):

• Unusual API Traffic: Multiple or high-volume HTTP requests querying VINs or issuing remote commands to a vehicle.
• Unexpected Vehicle Behavior: Vehicle locks, engine start/stop, or other controls changing without user input.
• Unauthorized Account Access: Unrecognized or unauthorized users being linked to a vehicle, potentially with “second user” access.

8. Patch and Mitigation:

• Responsible Disclosure: The vulnerabilities were disclosed to Kia in June 2024, and Kia issued a patch on August 14, 2024. The fixes included:
  • Improved authentication and token validation.
  • Stricter permission checks on API requests tied to VINs.
  • Enhanced access control to protect sensitive personal data and vehicle commands.

Here’s a breakdown of how an attack exploiting this vulnerability

1. Nature of the Vulnerability: These vulnerabilities allowed attackers to remotely control key vehicle functions, which could have included locking/unlocking doors, starting or stopping the engine, or even altering other settings. What makes this particularly alarming is that the exploit required nothing more than a license plate number, potentially enabling hackers to target vehicles by simply observing their plate in public.
2. Scope:

The vulnerabilities impacted almost all Kia vehicles manufactured after 2013, which implies that millions of cars may have been at risk before the patch was applied. This widespread risk is especially notable considering that these attacks could be executed within 30 seconds, regardless of the vehicle’s subscription to Kia’s connected services.

1. Personal Data Exposure:

In addition to remote control over the vehicle’s functions, the vulnerabilities also exposed sensitive personal data. Attackers could potentially access the car owner’s name, phone number, email address, and physical address, increasing the risk of identity theft or physical security threats.

1. Research and Disclosure:

The vulnerabilities were discovered by cybersecurity researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll, who responsibly disclosed the issues. The fact that the vulnerabilities have been patched indicates Kia worked with researchers to mitigate the risks.

 

REMEDIATION STEPS:

1. Patch Deployment:

Kia released software updates on August 14, 2024, to fix the vulnerabilities. Vehicle owners were likely notified about these updates and encouraged to install them either remotely (via over-the-air updates) or by visiting a dealership.

2. Enhanced Authentication and Token Management:

The root of the exploit involved weak authentication and token generation within the Kia Connect system. Kia likely reinforced the way tokens are issued and verified, ensuring that unauthorized users cannot easily generate access tokens through manipulated requests.

3. Strengthened API and Dealer Infrastructure:

Kia may have also improved the security protocols for their dealership infrastructure (kiaconnect.kdealer[.]com). This could involve stricter validation processes for VIN-related queries and preventing unauthorized users from retrieving sensitive vehicle or owner data.

4. Improved Encryption and Data Protection:

To protect against future data exposure, Kia may have implemented stronger encryption protocols to safeguard personal information (e.g., name, phone number, and email address) and ensured secure communication between the vehicle, dealership systems, and Kia’s servers.