By Omar Yang (Senior Threat Researcher, Automotive) and Ling Cheng (Senior Product Marketing Manager)
Kia has patched a set of vulnerabilities that could have enabled remote control of critical functions, such as unlocking and starting, of any affected vehicle with only a license plate number as a basic requirement, and in just half a minute at that.
The vulnerabilities — discovered by a team of security researchers including Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll — could have allowed an attacker to get ahold of personal details such as the vehicle owner’s name, phone number, email address, and home address. Doing so, in turn, would have allowed the attacker to be added as another user on the vehicle, unbeknown to the owner.
The vulnerabilities were disclosed in June 2024 and had been remediated by August. Affected Kia vehicles include those with model years beyond 2013, but the South Korean automotive manufacturer (OEM) maintains that the vulnerabilities have never been exploited in the wild.
Potential attack chain
The potential attack chain begins with a vulnerability in the authentication process for Kia dealers, which allows an attacker to register as a legitimate dealer and gain access to sensitive information from Kia’s servers. Additionally, the system does not verify if authorized users are modifying their permissions or creating new accounts.
To execute the attack, the attacker first registers as a dealer and retrieves an access token, which is required for all subsequent API calls. The attacker also uses a third-party “license plate to VIN” lookup service to resolve the target vehicle’s vehicle identification number (VIN) using its license plate number. With the VIN and the access token, the attacker can query the vehicle owner’s information, including email address and phone number. Using this information, the attacker can set the true owner as a secondary user (from the perspective of Kia’s servers). The attacker then binds their own Kia account to the vehicle and sets it as the primary user. Once established as the primary user, the attacker gains control over the vehicle’s functions, such as unlocking the doors or starting the car.
Figure 1. The potential attack chain
Security considerations
Vulnerabilities such as the ones in this case affect car owners by exposing their vehicles to potential theft and unauthorized access. As a result, OEMs like Kia face reputational damage and legal risks, requiring them to improve automotive cybersecurity. Other stakeholders, like insurance companies and regulators, may need to adjust policies and regulations in response to such vulnerabilities.
In this case, the key issue lies in the back-end API vulnerability, particualy involving VIN information. OEMs can strengthen their security in the following ways to ensure that they provide convenient services to customers while maintaining robust security:
- Shift-left strategy for proactive risk mitigation: By integrating continuous API vulnerability assessments during the design phase, OEMs can proactively identify and address potential API issues before they become critical. This approach minimizes future risks and enhances the overall security posture.
- Leveraging dark web intelligence for early warning: Continuous monitoring of deep and dark web activities through a trusted solutions provider allows for the correlation of intelligence with potentially impacted vendors and components, and offers actionable insights. For instance, this approach can lead to early detection of leaked VINs. OEMs can then gain additional time to mitigate risks by actively tracking anomalous behavior related to the leaked VINs.
- Unified risk visibility to boost efficiency: By consolidating data related to API vulnerability and security events into a unified platform, OEMs can achieve comprehensive risk visibility. Advanced analytics, including generative AI (GenAI) capabilities, can correlate these events with past incidents and dark web intelligence. The results can empower OEMs with actionable insights to anticipate and counter potential attacker exploits.
Download our white paper to learn more about automotive API security risks, including real-world examples and an expanded systematic approach to mitigation.
