Two years after the Kia Challenge, when hackers discovered a method to steal nearly any KIA and Hyundai model produced after 2011, the Korean automaker is once again under scrutiny. A recently found vulnerability permits the unlocking and starting of any Kia using only the license plate number.
A hacker recently uncovered a significant flaw in Kia's dealer system, allowing malicious actors to take control of any vehicle by just utilizing its license plate. Cars can be entirely unlocked without the need for a remote key or even access to the vehicle itself.
Sam Curry, a security researcher and "white" hacker, made this discovery alongside a friend while investigating Kia Connect—a program that remotely manages various car functions. Owners rely on this application daily to lock, disable, or start their cars, as well as to check their status and prepare the vehicle for use.
The researcher identified that the way the Kia Connect program communicates with Kia servers to send commands to vehicles poses a significant security risk. Curry implemented a method used by Kia dealers to assign new cars to owners via the KIA KDealer platform. This vulnerability allowed him to impersonate a Kia dealership attempting to register a customer’s vehicle.
To gain control, Curry needed the vehicle's VIN, which is readily available "if you know where to look." To remotely access the compromised car, he developed a tool that utilizes a third-party API to match the victim’s license plate with its actual VIN.
The developed tool functioned with every KIA model released in the last decade. In just seconds, the hacker not only gains access to the vehicle but also to personal data, including the owner's name, phone number, email address, and the car's location. The attacker can also add themselves as a second invisible user of the victim's vehicle without their knowledge. In some models, the tool even enables remote access to the car’s cameras.
Two years ago, it was revealed how easy it was to start the engine of most Kia and Hyundai models. This was made possible due to the absence of electronic immobilizers in many cars manufactured in the U.S. from 2011 to 2021. The discovery created significant issues for Hyundai and Kia owners and remains a blemish on the reputation of the Korean automakers.
Moreover, teenagers are still breaking into Hyundai and KIA vehicles, even though driving without a key is impossible. Insuring Hyundai or KIA is also challenging, as some companies refuse coverage due to theft risks. Additionally, KIA and Hyundai were among the brands recently added to the infamous "Game Boy" key emulator database, which has facilitated theft.
Fortunately, KIA learned about the new vulnerability before it escalated into a more significant problem. The Korean automaker successfully addressed the issue, but yet another successful hacking attempt raises fundamental concerns regarding the safety of these vehicles.
Source: Autoevolution
Comments (0)
There are no comments for now