Abeerah Hashim
2024-10-01 07:16:27
latesthackingnews.com
Kia recently addressed a serious security vulnerability, risking its cars. The vulnerability existed in the Kia dealer portal, allowing an adversary to access victims’ personal information and take control of the target vehicle.
Security Flaw Patched In Kia Dealer Portal
Security researcher Sam Curry recently shared insights about a serious vulnerability threatening the security of Kia cars and their users.
Specifically, Curry and the team noticed that an adversary could target any Kia car using its license plate. The vulnerability existed because entering this detail in the Kia dealer portal could allow immediate access to the target vehicle’s system. This, in turn, would allow the attacker to execute various commands, such as unlocking the car, which risked car theft, starting/stopping the car, and more. Besides, the attacker could also access the vehicle owner’s personal information and add himself as the vehicle’s second owner without alerting the victim.
The issue impacted Kia’s domain “kiaconnect.kdealer.com,” the dealer portal for vehicle registration. An adversary could register a dealer account on this domain and generate access tokens for vehicle registration.
The researchers could register a dealer account using the same HTTP request used to register on Kia Owner’s website, “owners.kia.com.” Once done, the researchers could call the backend dealer APIs to get the vehicle owner’s information, including name, contact number, and email address.
Further, the researchers could also access other endpoints governing vehicle enrollments and modifications. Consequently, they could access the target vehicle’s system, add/delete/modify the vehicle owner, and send arbitrary commands to the vehicle.
The researchers shared the details of this attack in a post, demonstrating the exploit in the following video.
This vulnerability affected Kia vehicles “regardless of an active Kia Connect subscription,” thus enhancing the threat radius. The researchers have also shared a list of all vehicles affected by this flaw.
Following this discovery, the researchers contacted Kia in June 2024. The researchers even developed a tool to demonstrate the exploit during their communication. Ultimately, in August 2024, Kia confirmed patching the flaw, which the researchers also validated.
Let us know your thoughts in the comments.
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.