Attack Surface Management
,
Security Operations
Kia Website Vulnerabilities Allowed Remote Car Control
Now-patched vulnerabilities in online services from carmaker Kia allowed attackers to remotely control vehicle functions using only a license plate number, putting millions of cars at risk.
See Also: Planning for 2025: Detection engineering with the Elastic Global Threat Report
The flaws, discovered by security researcher Sam Curry, could be exploited in about 30 seconds and affects Kia models stretching back to 2014 in varying degrees. Curry and colleagues found the carmaker’s most recent models to be especially susceptible to remote control of key functions such as unlocking doors, starting the engine and disabling the starter. Even typically older models that couldn’t be remotely controlled were prone to giving up geolocation data.
Curry said he discovered the flaws present in the South Korean automaker’s official website for owners and in its iOS app.
“These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously,” Curry said after disclosing that he built a tool app that would allow the takeover of cars by entering the license plate of a Kia car.
Remote connection flaws also allowed attackers to harvest sensitive personal information, such as the owner’s name, address, email and phone number. Kia did not immediately respond to a request for comment.
Cars have been a favorite target for security researchers as software and electronic control units dominate what once were purely analog machines. Smartphone apps capable of controlling core vehicle functionality “expose those traditional physical functions to the communication and security frailties of internet protocols and applications,” said Gunter Ollmann, IOActive chief technology officer.
Curry said he was able to add himself as a second user of the vehicle without the owner’s knowledge. According to Curry, the process of taking control could be completed in less than 30 seconds. Researchers initially focused on the owners.kia.com website and the Kia Connect iOS app, which allowed internet-to-vehicle commands.
Analyzing the HTTP requests made through these platforms, Curry’s team found that the website used a backend reverse-proxy system to forward user commands, such as unlocking a car door, to Kia’s backend API service. This API service, in turn, executed the vehicle commands remotely.
Sending an HTTP request from the owners.kia.com website to the backend system could unlock a car door by simply using a session ID token and a vehicle identification number key.
Curry and his team also examined Kia’s dealer infrastructure. Kia dealerships use a similar system to register and activate new vehicles for customers. Researchers could register fake accounts and generate valid access tokens. They then used these tokens to access sensitive user data, including contact information.
Gaining access to Kia’s dealer APIs allowed attackers to send a series of commands to gain full control over a vehicle. The dealer APIs also exposed user profiles, allowing hackers to view the vehicle owner’s personal information, adding to the overall threat of privacy violations and unauthorized vehicle access.
The flaws uncovered in this investigation followed a previous discovery by Curry’s team two years ago, where it identified critical vulnerabilities in over a dozen automakers. Those issues also allowed attackers to remotely disable vehicles and track their locations, affecting approximately 15.5 million vehicles (see: Critical Vulnerabilities Found in Luxury Cars Now Fixed).
Not every car takeover flaw needs a hacking component, of course. Kia in 2023 found itself ushering out software patches to stop a rash of car thefts using a technique popularized on TikTok that required nothing except a screwdriver and a male USB Type A connector to turn the mechanical ignition (see: Kia and Hyundai Fix TikTok Security Challenge).