Tech News
Kia Dealer Portal Vulnerability Risked Millions of Cars
Kia recently addressed a serious security vulnerability, risking its cars. The vulnerability existed in the Kia dealer portal, allowing an adversary to access victims’ personal information and take control of the target vehicle.
Security Flaw Patched In Kia Dealer Portal
Security researcher Sam Curry recently shared insights about a serious vulnerability threatening the security of Kia cars and their users.
Specifically, Curry and the team noticed that an adversary could target any Kia car using its license plate. The vulnerability existed because entering this detail in the Kia dealer portal could allow immediate access to the target vehicle’s system. This, in turn, would allow the attacker to execute various commands, such as unlocking the car, which risked car theft, starting/stopping the car, and more. Besides, the attacker could also access the vehicle owner’s personal information and add himself as the vehicle’s second owner without alerting the victim.
The issue impacted Kia’s domain “kiaconnect.kdealer.com,” the dealer portal for vehicle registration. An adversary could register a dealer account on this domain and generate access tokens for vehicle registration.
The researchers could register a dealer account using the same HTTP request used to register on Kia Owner’s website, “owners.kia.com.” Once done, the researchers could call the backend dealer APIs to get the vehicle owner’s information, including name, contact number, and email address.
Further, the researchers could also access other endpoints governing vehicle enrollments and modifications. Consequently, they could access the target vehicle’s system, add/delete/modify the vehicle owner, and send arbitrary commands to the vehicle.
The researchers shared the details of this attack in a post, demonstrating the exploit in the following video.
This vulnerability affected Kia vehicles “regardless of an active Kia Connect subscription,” thus enhancing the threat radius. The researchers have also shared a list of all vehicles affected by this flaw.
Following this discovery, the researchers contacted Kia in June 2024. The researchers even developed a tool to demonstrate the exploit during their communication. Ultimately, in August 2024, Kia confirmed patching the flaw, which the researchers also validated.
Let us know your thoughts in the comments.
-
Destination3 months ago
Singapore Airlines CEO set to join board of Air India, BA News, BA
-
Tech News7 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Motivation6 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Guides & Tips5 months ago
Have Unlimited Korean Food at MANY Unlimited Topokki!
-
Guides & Tips5 months ago
Satisfy Your Meat and BBQ Cravings While in Texas
-
Gaming4 months ago
The Criterion Collection announces November 2024 releases, Seven Samurai 4K and more
-
Self Development7 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Toys6 months ago
15 of the Best Trike & Tricycles Mums Recommend