A group of security researchers discovered a serious vulnerability in the web portal of the South Korean car manufacturer Kia, which allowed cars to be hacked remotely and their owners tracked. To carry out the hack, only the victim’s car license plate number was needed. Let’s dive into the details.
Overly connected cars
If you think about it, in the last couple of decades, cars have essentially become big computers on wheels. Even the less “smart” models are packed with electronics and equipped with a range of sensors — from sonars and cameras to motion detectors and GPS.
And not only that; in recent years, these computers have been constantly connected to the internet — with all the ensuing risks. Not long ago, we wrote about how today’s cars collect huge amounts of data about their owners and send it to the manufacturer. Moreover, the manufacturers also sell this collected data to other companies — particularly insurers.
However, there’s another side to this issue: being constantly connected to the internet means that, if there are vulnerabilities — either in the car itself or in the cloud system it communicates with — someone could exploit them to hack the system and track the car’s owner without the manufacturer even knowing.
One bug to rule them all, one bug to find them
This is exactly what happened in this case. Researchers found a vulnerability in Kia’s web portal, which is used by Kia owners and dealers. It turned out that by using the API, the portal allowed anyone to register as a car dealer with just a few fairly simple moves.
This gave the attacker access to features that even car dealers shouldn’t have — at least, not once the vehicle has been handed over to the customer. Specifically, the portal permits first finding any Kia car, and then accessing the owner’s data (name, phone number, email address, and even physical address) — all with just the vehicle’s VIN number.
It should be noted that VIN numbers aren’t exactly secret information — in some countries, they’re publicly available. For instance, in the USA there are many online services you can use to look up a VIN number using a car’s license plate number.
After successfully finding the car, the attacker can use the owner’s data to register any attacker-controlled account in Kia’s system as a new user for the vehicle. From there, the attacker would gain access to various functions normally available to the car’s actual owner through the mobile app.
What’s particularly interesting is that all these features weren’t just available to the dealer who sold that car, but to any dealer registered in Kia’s system.
Hacking a car in seconds
The researchers then developed an experimental app that could take control of any Kia vehicle within seconds simply by entering its license plate number into the input fields. The app would automatically find the car’s VIN through the relevant service and use it to register the vehicle to the researchers’ account.
After that, a single button press in the app would allow the attacker to obtain the vehicle’s current coordinates, lock or unlock the doors, start or stop the engine, or honk the horn.
It’s important to note that in most cases these functions wouldn’t be enough to steal the car. Modern models are usually equipped with immobilizers, which require the physical presence of the key to be disabled. There are some exceptions, but generally these are the cheapest cars that are unlikely to be of much interest to thieves.
Nevertheless, this vulnerability could easily be used to track the car owner, steal valuables left inside the car (or plant something there), or simply disrupt the driver’s life with unexpected actions from the vehicle.
The researchers followed responsible disclosure protocol, informing the manufacturer of the issue and only publishing their findings after Kia fixed the bug. However, they note that they’ve found similar vulnerabilities before and are confident they’ll continue to discover more in the future.