Through two years after the Kia ChallengeAfter the hackers found a way to steal almost any KIA and Hyundai produced after 2011, the Koreans are back in the spotlight. A newly discovered vulnerability allows any Kia with a license plate alone to be unlocked and started.
Recently, a hacker discovered a serious vulnerability in Kia’s dealership system that allows attackers to gain control of any car using just a license plate. The car can be completely unlocked without access to the key fob or even the car.
Sam Curry, a security researcher and «white» hacker, made the discovery with one of his friends while researching Kia Connect, a program that remotely controls many car functions. Owners use the app every day to lock, unlock, or start their cars, or simply to check on their status and prepare them for departure.
The researcher found that the KIA Connect app’s communication with Kia’s servers to send commands to the vehicles was a big problem. Kerry used the method that Kia dealers use to assign new cars to owners through the KIA KDealer platform. The vulnerability allowed him to impersonate a Kia dealership trying to register a customer’s vehicle.
To gain control, Curry needed the vehicle’s VIN number, but it’s easily available «if you know where to look». To gain remote access to the compromised vehicle, he developed a tool that uses a third-party API to match the victim’s license plate with their actual VIN.
The tool worked with every KIA model released over the past decade. In a matter of seconds, the hacker gets not only access to the car but also to personal data. This includes the name, phone number, email address, and location of the car. The attacker can also add himself as a second invisible user of the victim’s vehicle without their knowledge. On some models, the tool even allows remote access to the car’s cameras.
Two years ago, it was discovered how easy it was to start the engine of most Kia and Hyundai models. This became possible due to the lack of an electronic immobilizer in many cars manufactured in the United States from 2011 to 2021. The discovery created huge problems for Hyundai and Kia owners and still remains a black mark on the reputation of Korean automakers.
Moreover, teenagers still break into Hyundai and KIA cars, even though it is impossible to drive without a key. It is also difficult to insure Hyundai or KIA, as some companies refuse to cover the risk of theft in this case. Also KIA and Hyundai were among the brands recently added to the infamous «Game Boy» key emulator database, making it easier to steal.
Fortunately, KIA learned about the new vulnerability before it became a problem. The Korean automaker successfully fixed it, but another successful hacking attempt raises fundamental doubts about the security of these cars.
Source: Autoevolution
Spelling error report
The following text will be sent to our editors: