CyberWatch

VINs and Losses: How Hackers Take Kias for a Ride

By

Matt Berns, Threat Intelligence Analyst

By

Access Point Consulting

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

The Discovery: Exploiting the Digital Age of Cars

The vulnerability was uncovered by security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll. Through their investigation, they found a way to exploit the Kia dealership infrastructure, allowing hackers to remotely gain control over vehicles. The attack involved registering a fake account and generating access tokens. These tokens, along with a few HTTP requests, allowed hackers to retrieve sensitive information, including the car owner's name, email address, and phone number. Worse, they could add themselves as an invisible secondary user, giving them unauthorized access to the vehicle without the owner's knowledge.

In just four HTTP requests, attackers could access the vehicle’s systems. They would first generate a dealer token, then fetch the owner's personal information, modify previous access permissions using the vehicle's VIN and leaked email address, and finally, position themselves as the primary owner. This left the true owner completely unaware of any changes, as they received no notifications of the unauthorized actions.

Remote Control: What Hackers Could Do

Once inside the system, hackers could execute a series of remote commands that allowed them to control key functions of the vehicle:

Remote Lock/Unlock: The doors could be locked or unlocked at will.

  • Remote Lock/Unlock: The doors could be locked or unlocked at will.
  • Remote Start/Stop: The engine could be started or turned off remotely.
  • Geolocation: Hackers could track the car’s location in real time.
  • Remote Horn/Light Activation: The horn and lights could be manipulated, potentially as a distraction or signal.
  • Access to Cameras: In certain models, even the car’s cameras could be hijacked.

These capabilities mean that, in theory, a hacker could steal a car, track its location, or cause significant disruption, all while the owner remains unaware. Worse still, this attack affected a wide range of Kia models produced after 2013, putting a substantial number of vehicles at risk.

How the Vulnerability Was Exploited

The simplicity of the attack was alarming. A hacker could use a vehicle’s license plate to initiate an attack, retrieve personal information, and within 30 seconds, gain control of the car. The vulnerability extended far beyond just locking or unlocking doors. Hackers could remotely start or stop the engine, which opens the door to vehicle theft, unauthorized access, or even placing the car’s occupants in danger.

The vulnerabilities were responsibly disclosed to Kia in July 2024, and the company acted quickly, issuing a patch in August 2024. Despite this, the incident serves as a cautionary tale for the entire automotive industry. Although no instances of this vulnerability being exploited in the real world have been reported, the potential for harm was immense.

A Broader Trend: Cars as Cyber Targets

This is not the first-time vulnerabilities in connected cars have been exposed. Sam Curry, one of the researchers involved in this Kia case, was also part of a team that discovered similar issues in Honda and Nissan vehicles in December 2022. In those instances, hackers were able to exploit flaws using the vehicles’ VIN numbers to remotely control car functions.

The vulnerability in Kia vehicles, however, illustrates an even more concerning trend. Cars are no longer just machines; they are now smart devices on wheels, loaded with data and constantly connected to the internet. This transformation means that vehicles are now subject to the same cybersecurity risks as other connected devices, such as smartphones or computers. But unlike other devices, a compromised vehicle could result in far more serious consequences, such as theft, property damage, or even harm to passengers.

Industry Response: Patching Isn’t Enough

Kia’s prompt response to the vulnerability was commendable, but it also raised critical questions about the future of cybersecurity in the automotive industry. Akhil Mittal, Senior Security Consulting Manager at Synopsys Software Integrity Group, commented on the broader implications of the flaw.

“This Kia vulnerability isn’t just a technical flaw—it’s a red flag for the entire automotive industry,” Mittal stated. “The idea that a hacker could unlock, track, or even start your car using just a license plate number sounds like science fiction, but it’s happening today.”

Mittal went on to emphasize that while Kia’s patch was reassuring, it exposed the significant cybersecurity gap in modern vehicles.

“In a few simple steps, a hacker could access sensitive information, change ownership, and take control of the vehicle without the owner’s knowledge. With nearly all Kia models made after 2013 affected, it’s clear that modern cars are now connected devices and vulnerable to the same cybersecurity risks as our phones and computers,” he explained.

The automotive industry has always placed a high priority on crash safety, but now it must take cybersecurity just as seriously. If manufacturers don’t act quickly, these types of vulnerabilities could become an everyday risk for drivers. Regular software updates, stronger encryption, and better communication with car owners are no longer optional—they are essential to protecting connected cars from the rising tide of cyber threats.

The Future of Connected Cars: Security First

As cars become increasingly reliant on internet connectivity, the risk of cyberattacks will only continue to grow. Automakers must stay ahead of the curve by integrating cybersecurity measures into every stage of vehicle design and production. This includes performing rigorous security audits, collaborating with cybersecurity experts, and creating systems that can be updated remotely to quickly address potential vulnerabilities.

For car owners, this incident serves as a reminder to stay vigilant. Just as we are accustomed to updating our smartphones and computers to protect against the latest security threats, we may need to start thinking the same way about our vehicles. Staying informed about security patches, regularly updating vehicle software, and paying attention to any alerts or unusual behavior could help mitigate the risks of cyberattacks.

In the end, the Kia vulnerability may have been patched, but it shines a light on a growing issue that the automotive industry must address head-on. As our vehicles evolve into smart, connected devices, the threats to their security will evolve as well. It’s now up to manufacturers, cybersecurity experts, and car owners alike to ensure that the future of driving remains as safe in the digital world as it is on the open road.  

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 3, 2024

Vulnerability in SolarWinds Managed File Transfer Server Actively Exploited

CVE-2024-28995 SolarWinds has issued a critical update for a zero-day vulnerability in its Serv-U MFT Server, allowing attackers to bypass security and access restricted files without authentication. Actively exploited, this flaw poses a significant risk for businesses that delay applying the fix.

Find out more