Security researchers recently discovered critical vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate [3] [4].
Description
These vulnerabilities affected almost all Kia vehicles made after 2013 [2] [5], exposing personal information of owners and allowing unauthorized access [3]. The flaws exploited Kia’s dealership infrastructure to generate access tokens and retrieve sensitive information [2]. The vulnerabilities were demonstrated using a custom tool on Kia’s ownerskia.com website and the Kia Connect iOS app. Researchers also found a previously unknown domain used for registrations, allowing them to gain unauthorized access to vehicles [1]. Kia addressed the vulnerabilities after responsible disclosure in June 2024, with no evidence of exploitation in the wild [2] [5].
Conclusion
This incident highlights concerns about the cybersecurity readiness of the auto industry in the face of high-tech threats [3]. While Kia patched the vulnerability [6], similar security issues persist in the automotive industry [6]. The exploit could have led to theft [6], harassment [6], and privacy breaches [6]. The need for improved cybersecurity measures in connected vehicles is crucial to protect personal data and vehicle security.
References
[1] https://securityaffairs.com/168966/hacking/hacking-kia-cars-made-after-2013.html
[2] https://thehackernews.com/2024/09/hackers-could-have-remotely-controlled.html
[3] https://siliconangle.com/2024/09/26/critical-flaws-kias-remote-system-allowed-hackers-control-vehicles/
[4] https://thecyberwire.com/newsletters/daily-briefing/13/185
[5] https://patabook.com/technology/2024/09/26/hackers-could-have-remotely-controlled-kia-cars-using-only-license-plates/
[6] https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/