Kia Dealer Portal Vulnerability Risked Millions of Cars

Kia recently addressed a serious security vulnerability, risking its cars. The vulnerability existed in the Kia dealer portal, allowing an adversary to access victims’ personal information and take control of the target vehicle.

Security Flaw Patched In Kia Dealer Portal

Security researcher Sam Curry recently shared insights about a serious vulnerability threatening the security of Kia cars and their users.

Specifically, Curry and the team noticed that an adversary could target any Kia car using its license plate. The vulnerability existed because entering this detail in the Kia dealer portal could allow immediate access to the target vehicle’s system. This, in turn, would allow the attacker to execute various commands, such as unlocking the car, which risked car theft, starting/stopping the car, and more. Besides, the attacker could also access the vehicle owner’s personal information and add himself as the vehicle’s second owner without alerting the victim.

The issue impacted Kia’s domain “kiaconnect.kdealer.com,” the dealer portal for vehicle registration. An adversary could register a dealer account on this domain and generate access tokens for vehicle registration.

The researchers could register a dealer account using the same HTTP request used to register on Kia Owner’s website, “owners.kia.com.” Once done, the researchers could call the backend dealer APIs to get the vehicle owner’s information, including name, contact number, and email address.

Further, the researchers could also access other endpoints governing vehicle enrollments and modifications. Consequently, they could access the target vehicle’s system, add/delete/modify the vehicle owner, and send arbitrary commands to the vehicle.

The researchers shared the details of this attack in a post, demonstrating the exploit in the following video.

This vulnerability affected Kia vehicles “regardless of an active Kia Connect subscription,” thus enhancing the threat radius. The researchers have also shared a list of all vehicles affected by this flaw.

Following this discovery, the researchers contacted Kia in June 2024. The researchers even developed a tool to demonstrate the exploit during their communication. Ultimately, in August 2024, Kia confirmed patching the flaw, which the researchers also validated.

Let us know your thoughts in the comments.