Korean automaker Kia has updated its dealer web portal to address a vulnerability that could allow silent unauthorized access to millions of its vehicles manufactured after 2013. The flaw, according to the security researchers that discovered it in June 2024, can be exploited in less than 30 seconds regardless of whether the vehicle has a Kia Connect subscription. To prove their research, the team built a custom exploitation tool and filmed a video that demonstrated how the tool could remotely lock or unlock, start or stop, and locate the vehicle simply by entering its license plate.
In addition to gaining limited control over the vehicle, the vulnerability allows threat actors to access sensitive personal information belonging to targeted vehicle’s owner, including their name, phone number, email address, and physical address. To gain persistence, the flaw can also be leveraged by threat actors to add themselves as a second user on the vehicle unbeknownst to its legitimate owner.
Fortunately, the flaw was discovered by an ethical group of security researchers who specialize in finding vulnerabilities in vehicles and related systems. They reported to the flaw to Kia, who promptly fixed the issue, and confirmed that it was never publicly exploited.
Source: Bleeping Computer
Analysis
It’s interesting that the revelation of this vulnerability comes just days after President Biden’s administration announced a proposed ban on the import and sale of connected vehicles built by companies with a Chinese or Russian nexus. The ban includes popular vehicle connectivity systems (VCS), such as Bluetooth, satellite, cellular, and Wi-Fi modules as well as automated driving systems (ADS), all of which enable vehicles to drive autonomously. The fear is that these technologies, while convenient for the driver, could also be used for surveillance, sabotage, and to disrupt critical infrastructure.
While the Kia flaw only gave the threat actor limited control over the targeted vehicle, the list of actions threat actors could take after compromising a fully connected car is nearly endless. For example, they could eavesdrop on conversations, gain access to geographical information, such as travel patterns, and obtain imagery of sensitive sites the vehicle may have access to from its cameras. Even worse, threat actors could take physical control of the vehicle, potentially harming the occupants or damaging critical infrastructure.
Fortunately, the flaw in Kia’s web portal was discovered by an ethical group of security researchers who responsibly disclosed it to Kia, who in turn, acted quickly to address it. Should that not have been the case, millions of Kia owners could have potentially been subject to the exposure of their personal information and at a high risk of their vehicle being stolen.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in emerging technologies like connected vehicles.
Field Effect strongly recommends owners of connected vehicles ensure their software is up to date by enabling automatic updates.
Related Articles
