Kia: Flaw in web portal allowed researchers remote access to cars
A bug in a web application from car manufacturer Kia would apparently have allowed attackers to hack millions of cars. It has already been fixed.
A group of security researchers has discovered critical vulnerabilities in Kia 's web portal. The group made the discovery public on Thursday. The vulnerabilities would have enabled attackers to remotely locate, activate and start millions of Kia cars and activate the horn within seconds using only the license plate. Vehicles with remote hardware, i.e. those built before 2013, were affected, regardless of whether they had an active Kia Connect subscription or not. In the meantime, however, there is no longer any danger.
To show how easily they could hijack the vehicles' internet-connected functions due to the vulnerabilities, the researchers developed their own app, which they could use to send commands to vehicles of the affected models, provided they knew the license plate number.
The vulnerabilities in the web application also allowed the security researchers to view personal data of car owners, including names, phone numbers, addresses and email addresses, and add themselves as a second user to the user account without the vehicle owners being aware of it.
The vulnerabilities in the web application allowed the researchers to register a dealer account on the Kia dealer portal, which allowed them to access the Kia dealer APIs on the backend. From there, they found a way to take over vehicles of affected models. They have published details of their approach in a blog post.
Gaps have now been fixed
One of the researchers involved, Sam Curry, told the US online medium BleepingComputer that Kia has since fixed the vulnerabilities, that the researchers had never published their app and that Kia had confirmed that the vulnerabilities had never been exploited by attackers.
In January 2023, the group had already found a list of vulnerabilities in web applications from a whole range of vehicle manufacturers and reported them to the companies concerned. For some manufacturers, the vulnerabilities would have enabled them to at least partially hijack networked vehicle functions, while for others they were able to access internal systems and company data.
Videos by heise
Neiko Rivera, who was also involved in the discovery, told the US online medium Wired that he had worked in cyber security in the automotive industry and had seen first-hand that car manufacturers often focused more attention on digital components in non-traditional computer environments, such as cars, than on the security of their web applications. This is partly because security vulnerabilities in vehicle computers are more difficult to fix. In his opinion, there is "some glaring gap between embedded security and web security" in the automotive industry.
(kst)
