A group of security researchers discovered critical flaws in Kia’s dealer portal that could let hackers locate and steal millions of Kia cars made after 2013 using just the targeted vehicle’s license plate.

Almost two years ago, in 2022, some of the hackers in this group, including security researcher and bug bounty hunter Sam Curry, found other critical vulnerabilities impacting over a dozen car companies that would’ve allowed criminals to remotely locate, disable starters, unlock, and start over 15 million vehicles made by Ferrari, BMW, Rolls Royce, Porsche, and other carmakers.

Today, Curry revealed that the Kia web portal vulnerabilities discovered on June 11th, 2024, could be exploited to control any Kia vehicle equipped with remote hardware in under 30 seconds, “regardless of whether it had an active Kia Connect subscription.”

The flaws also exposed car owners’ sensitive personal information, including their name, phone number, email address, and physical address, and could have enabled attackers to add themselves as a second user on the targeted vehicles without the owners’ knowledge.

To further demonstrate the issue, the team built a tool showing how an attacker could enter a vehicle’s license plate and, within 30 seconds, remotely lock or unlock the car, start or stop it, honk the horn, or locate the vehicle.

The researchers registered a dealer account on Kia’s kiaconnect.kdealer.com dealer portal to gain access to this information.

Once authenticated, they generated a valid access token that gave them access to backend dealer APIs, giving them critical details about the vehicle owner and full access to the car’s remote controls.

They found that attackers could use the backend dealer API to:

• Generate a dealer token and retrieve it from the HTTP response
• Access the victim’s email address and phone number
• Modify the owner’s access permissions using leaked information
• Add an attacker-controlled email to the victim’s vehicle, allowing for remote commands

“The HTTP response contained the vehicle owner’s name, phone number, and email address. We were able to authenticate into the dealer portal using our normal app credentials and the modified channel header,” Curry said.

From there, attackers could enter a vehicle’s VIN (vehicle identification number) through the API and remotely track, unlock, start, or honk the car without the owner’s knowledge.

The Kia web portal flaws allowed silent, unauthorized access to a vehicle since, as Curry explained, “from the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified.”

“These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously,” Curry added.