In a startling revelation, cybersecurity researchers have uncovered critical vulnerabilities in Kia’s dealer portal that could have allowed malicious actors to remotely control key functions of Kia vehicles. This discovery highlights the growing importance of robust cybersecurity measures in the automotive industry.
The Scope of the Vulnerability
The security flaws, now patched, affected nearly all Kia models manufactured since 2013. Researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll demonstrated that these vulnerabilities could be exploited in approximately 30 seconds, regardless of whether the vehicle had an active Kia Connect subscription.
What’s particularly concerning is that the attack required only the vehicle’s license plate number to initiate. This low barrier to entry significantly increased the potential risk to Kia owners.
Implications for Vehicle Owners
The discovered vulnerabilities went beyond mere vehicle control. Attackers could potentially access sensitive information about the car’s owner, including:
- Full name
- Phone number
- Email address
- Physical address
Moreover, the flaw allowed hackers to add themselves as an “invisible” secondary user without the owner’s knowledge or consent, granting them persistent access to the vehicle’s systems.
Technical Details of the Exploit
The security researchers identified vulnerabilities in the Kia dealer portal infrastructure (kiaconnect.kdealer[.]com) in June 2024. By creating a fake dealer account, they were able to generate a valid access token, granting them access to the dealer backend API. This access provided them with:
- Detailed vehicle owner information
- Full remote control capabilities of affected vehicles
Using this API, an attacker could potentially track, unlock, start, or shut down a target vehicle remotely, as well as activate its horn – all without the owner’s knowledge or consent.
Kia’s Response and Current Status
Kia has confirmed that all identified vulnerabilities have been promptly addressed and patched. The company emphasized that there is no evidence of these security flaws being exploited by malicious actors in real-world scenarios.
This incident serves as a stark reminder of the critical importance of cybersecurity in modern vehicles. As cars become increasingly connected and reliant on digital systems, manufacturers must prioritize robust security measures to protect their customers from potential cyber threats. Vehicle owners, too, should remain vigilant and ensure their vehicles’ software is always up-to-date to mitigate such risks.