Kia recently addressed a serious security risk putting its cars at risk. The vulnerability existed in the Kia dealer portal, allowing an adversary to access victims’ personal information and take control of the target’s vehicle.

A security flaw has occurred in the Kia dealer portal

Security researcher Sam Currie recently shared insights into a serious threat to the security of Kia cars and their customers.

Specifically, Curry and the team found that an adversary could target any Kia car using its license plate. The vulnerability existed because entering this description in the Kia dealer portal could allow authorization. Quick access to target vehicle systems. This, in turn, would allow the attacker to execute various commands, such as unlocking the car, which Risk of car theftstarting/stopping the car, and more. In addition, the attacker can also access the personal information of the vehicle owner and impersonate the other vehicle owner without alerting the victim.

The issue affected Kia’s domain “kiaconnect.kdealer.com”, the dealer portal for vehicle registration. An adversary can register a dealer account on this domain and create an access token for vehicle registration.

Researchers can register a dealer account using the same HTTP request that is used to register on the Kia Owner website “owners.kia.com”. Once done, researchers can call back-end dealer APIs to retrieve vehicle owner information, including name, contact number, and email address.

In addition, researchers can access other endpoints that control vehicle registration and modification. Consequently, they can access the target vehicle’s system, add/delete/edit the vehicle owner, and send arbitrary commands to the vehicle.

The researchers shared details of the attack in a PostThe following video demonstrates the exploit.

The vulnerability affected Kia vehicles “regardless of an active Kia Connect subscription,” thus increasing the radius of the vulnerability. The researchers have also shared a list of all the vehicles affected by the flaw.

After this discovery, the researchers contacted come on In June 2024. The researchers also developed a tool to reveal the exploitation that occurred during their interactions. Finally, in August 2024, Kia confirmed a fix for the flaw, which was also fixed by the researchers.

Let us know your thoughts in the comments.



Source link