Kia Vehicles Vulnerability: Remote Hacks via License Plate
Overview
- Discovery: Found by independent researcher Sam Curry in a September 26 report
- Background: Part of follow-up research on vulnerabilities in vehicles from Kia, Honda, Infiniti, Nissan, Acura, BMW, Mercedes, and others
Vulnerability Details
- Exploitation Method:
- Utilized Kia’s dealer portal to gain unauthorized access
- Required only a license plate number to retrieve the Vehicle Identification Number (VIN)
- Allowed attackers to modify user accounts and execute vehicle commands
- Commands Possible:
- Unlock/lock doors
- Start/stop engine
- Honk horn
- Locate vehicle
Security Breach Consequences
- Data Compromise: Access to personal information such as names, emails, and addresses
- Covert Access: Attackers could add themselves as secondary users without owner notification
Mitigation and Response
- Discovery and Disclosure: Vulnerability found in June 2024
- Patch Released: Kia addressed the vulnerabilities by mid-August 2024
- No Known Exploitation: No evidence of malicious use before patching
Implications for Automotive Security
- Highlights ongoing cybersecurity challenges in connected vehicles
- Emphasizes need for robust security measures in automotive systems