How millions of Kia cars could be tracked

A vulnerability in Kia’s web portal made it possible to hack cars and track their owners. All you needed was the car’s VIN number or just its license plate number.

How to track Kia car owners online

A group of security researchers discovered a serious vulnerability in the web portal of the South Korean car manufacturer Kia, which allowed cars to be hacked remotely and their owners tracked. To carry out the hack, only the victim’s car license plate number was needed. Let’s dive into the details.

Overly connected cars

If you think about it, in the last couple of decades, cars have essentially become big computers on wheels. Even the less “smart” models are packed with electronics and equipped with a range of sensors — from sonars and cameras to motion detectors and GPS.

And not only that; in recent years, these computers have been constantly connected to the internet — with all the ensuing risks. Not long ago, we wrote about how today’s cars collect huge amounts of data about their owners and send it to the manufacturer. Moreover, the manufacturers also sell this collected data to other companies — particularly insurers.

However, there’s another side to this issue: being constantly connected to the internet means that, if there are vulnerabilities — either in the car itself or in the cloud system it communicates with — someone could exploit them to hack the system and track the car’s owner without the manufacturer even knowing.

Car head unit

The so-called “head unit” of a car is just the tip of the iceberg; in fact, today’s cars are stuffed with electronics

One bug to rule them all, one bug to find them

This is exactly what happened in this case. Researchers found a vulnerability in Kia’s web portal, which is used by Kia owners and dealers. It turned out that by using the API, the portal allowed anyone to register as a car dealer with just a few fairly simple moves.

Kia portal for Kia owners and dealers

The Kia portal in which a serious vulnerability was discovered. Source

This gave the attacker access to features that even car dealers shouldn’t have — at least, not once the vehicle has been handed over to the customer. Specifically, the portal permits first finding any Kia car, and then accessing the owner’s data (name, phone number, email address, and even physical address) — all with just the vehicle’s VIN number.

It should be noted that VIN numbers aren’t exactly secret information — in some countries, they’re publicly available. For instance, in the USA there are many online services you can use to look up a VIN number using a car’s license plate number.

Diagram: hacking a Kia car via the web portal

A general scheme of the Kia web portal attack, allowing control over any car using its VIN number. Source

After successfully finding the car, the attacker can use the owner’s data to register any attacker-controlled account in Kia’s system as a new user for the vehicle. From there, the attacker would gain access to various functions normally available to the car’s actual owner through the mobile app.

What’s particularly interesting is that all these features weren’t just available to the dealer who sold that car, but to any dealer registered in Kia’s system.

Hacking a car in seconds

The researchers then developed an experimental app that could take control of any Kia vehicle within seconds simply by entering its license plate number into the input fields. The app would automatically find the car’s VIN through the relevant service and use it to register the vehicle to the researchers’ account.

App developed by researchers for hacking Kia cars

The researchers even created a handy app to simplify hacking — all you need is the Kia car’s license plate number. Source

After that, a single button press in the app would allow the attacker to obtain the vehicle’s current coordinates, lock or unlock the doors, start or stop the engine, or honk the horn.

Hacking and tracking a Kia car

The app could be used to obtain the hacked car’s coordinates and send commands. Source

It’s important to note that in most cases these functions wouldn’t be enough to steal the car. Modern models are usually equipped with immobilizers, which require the physical presence of the key to be disabled. There are some exceptions, but generally these are the cheapest cars that are unlikely to be of much interest to thieves.

Nevertheless, this vulnerability could easily be used to track the car owner, steal valuables left inside the car (or plant something there), or simply disrupt the driver’s life with unexpected actions from the vehicle.

The researchers followed responsible disclosure protocol, informing the manufacturer of the issue and only publishing their findings after Kia fixed the bug. However, they note that they’ve found similar vulnerabilities before and are confident they’ll continue to discover more in the future.

Tips

How to travel safely

Going on vacation? We’ve compiled a traveler’s guide to help you have an enjoyable safe time and completely get away from the routine.