Millions of Kia vehicles were vulnerable to remote attacks with just a license plate number
In June of 2024 security researchers uncovered a set of vulnerabilities in the Kia dealer portal that allowed them to remotely take over any Kia vehicle built after 2013—and all they needed was a license plate number.
According to the researchers:
“These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.”
How was this possible?
First, it’s important to understand that the Kia “dealer portal” is where authorized Kia dealers can match customer accounts with the VIN number of their new car. For the customer accounts, Kia would ask the buyer for their email address at the dealership and send a registration link to that address where the customer could either set up a new Kia account or add their newly purchased vehicle to an existing Kia account.
The researchers found out that by sending a specially crafted request they could create a dealer account for themselves. After some more manipulation they were able to access all dealer endpoints which gave them access to customer data like names, phone numbers, and email addresses.
As the new “dealer,” the security researchers were also able to search by Vehicle Identification Number (VIN) number, which is a unique identifier for a vehicle. With the VIN number and the email address of the rightful owner, the researchers were able to demote the owner of the vehicle so that they could add themselves as the primary account holders.
Unfortunately, the rightful owner would not receive any notification that their vehicle had been accessed nor their access permissions modified.
But to find the VIN number of a car you’ll need physical access to the vehicle, right? Not entirely.
In several countries, including the US and the UK, there are vehicle databases that you can query to provide you with a VIN number based on the license plate number. The researchers used a third-party API to convert the license plate number to a VIN.
Depending on the vehicle and whether Kia Connect was active, the primary account holder is able to remotely lock/unlock, start/stop, honk, and locate the vehicle.
The researchers created a proof-of-concept tool where they could enter the license plate and in two steps they could retrieve the owner’s personal information, and then execute remote commands on the vehicle.
The researchers responsibly disclosed their findings to Kia, which has since remediated the vulnerabilities found by the researchers. Kia assured that the vulnerabilities have not been exploited maliciously.
Vulnerabilities in cars are not new. In fact, the researchers that found these vulnerabilities did that as a follow-up to their earlier research. And too often we find that car makers are more interested in adding new features than securing their existing ones. So, we can expect that vulnerabilities like these will continue to be uncovered and we should be glad that these researchers chose to disclose their findings and give Kia a chance to fix the vulnerabilities before disclosing them.