Researchers have disclosed a glaring remote access flaw in web-based applications used by KIA automotive dealers. If used by malicious actors, the flaws would give remote attackers the ability to steal owners’ personal information and even take control of their KIA vehicle: locking and unlocking doors, starting or stopping the vehicle and honking its horn – all with nothing more than knowledge of the vehicle’s license plate number!
On September 20, researcher Sam Curry published an account of his discovery of the flaw on his blog, describing a flaw affecting scores of KIA vehicles from the latest models all the way back to the 2013 model year. Even worse: the vehicle owners (aka “victims”) would have received no notifications if malicious actors had accessed their personal information, tracked their whereabouts or even took remote control of their vehicle.
Lessons not learned: KIA’s struggles with app insecurity continue
The research was a joint, volunteer project of Curry and fellow researchers Neiko Rivera (@specters); Justin Rhinehart (@sshell_); and Ian Carroll (@Iangcarroll). It is a continuation of work that Curry and his counterparts published in January, 2023, “Web Hackers Vs. The Auto Industry.” That was a scathing account of the group’s forays into the software and services that support modern, connected vehicles manufactured by more than a dozen automakers and auto industry suppliers.
As we wrote at the time, Curry and crew found widespread faults including across platforms operated by Honda, Infiniti, Nissan, Spireon, SiriusXM, and Mercedes Benz. For KIA vehicles, Curry and his fellow researchers discovered two years ago that with nothing more than a vehicle VIN number they could use the KIA Connect application to obtain owner information, remotely lock and unlock vehicles, start and stop the, engine, locate the vehicle and flash its headlights and honk the car’s horn with to gain access. Similar flaws were found in vehicles by Honda, Infiniti, Nissan and Acura. But they also were able to access the 360-view camera and view live images from the car – something that was unique to the KIA platform.
In an email statement to Security Ledger in January, 2023, a Kia America spokesperson said that Kia was “implementing countermeasures to further enhance the safety and security of our systems.” However, the latest research brings into question whether such countermeasures were properly enacted.
Curry said that while his group’s forays into the owners.kia.com site this time around were less fruitful, the group soon discovered the existence of another, previously undisclosed web application, kiaconnect.kdealer.com, while digging through the company’s web application code.
“(We) wondered: what if there was a way to just register as a dealer, generate an access token, then use that access token…?” That hunch paid off, with Curry and his crew successfully registering as a new KIA dealer and authenticating to a dealer account. That gave them the ability to generate a valid access token that could be used to call the backend KIA dealer APIs, gaining access to sensitive data like the vehicle owner’s name, phone number, and email address and potentially “all other dealer endpoints,” Curry wrote. The level of access was very similar to what the group was able to achieve in their research in 2022.
“The impact here was really obvious to us and we reported it to Kia immediately,” he wrote.
Anybody home? KIA slow to respond to researchers
The company had been responsive in 2022 during the initial round of discoveries. But it was less so this time around, Curry told The Security Ledger.
A timeline of the group’s activity shows a more than two month gap between KIA’s initial acknowledgement of receiving information from the researchers on June 10th and acknowledgement that the issues had been resolved on August 14th, with frequent nudging by Curry and his fellow researchers to get the company to respond.
“We notified them at every part in our journey from finding to disclosure, but they would only respond to 1/4 emails with general statements that weren’t more than a few sentences.” Curry wrote. “We sent maybe 4 or 5 emails in the last month but they didn’t respond to any (‘hey, we are going to disclose’),” he wrote.
KIA did not respond to requests for comment from Security Ledger prior to publication. We will update this story if and when the company issues a response.
In response to the group’s findings, Curry said that KIA appears to have tightened up the kiaconnect.kdealer.com site: blocking the ability to create dealer accounts and improving the access control needed to leverage APIs.
A clear pattern: high risk, low security
Curry’s work in recent years has revealed a pattern in which high value physical systems like automobiles or even airport screening stations are found to be vulnerable to attacks that leverage vulnerable APIs as well as web applications and cloud based infrastructure that is easily discoverable by reviewing application code or communications. “It is a lot easier than you’d think to find these systems,” Curry told me in a recent podcast interview.
Curry likened the ecosystem managing cars and other smart devices as akin to the (in)famous XKCD “dependency” cartoon that shows a mass of “All Modern Digital Infrastructure” propped up by a toothpick-sized piece labeled “a project some random person in Nebraska has been thanklessly maintaining since 2003.” he and his colleagues look for “single points of failure” that give them access to “the most number of vehicles we can.” That leads them to look into platforms hosted and offered by suppliers, like Sirius XM and other suppliers that are a “single point of failure for six or seven different car companies where you pop this one specific component and you can literally just type in someone’s license plate number for six or seven different car brands and it’ll remotely unlock, track everything,” Curry said.
While vulnerability researchers might be keen to poke around technology from a specific company, it is much more impactful to “take a step back and you approach it from..an impact perspective,” Curry said. “My goal is to fix this bug, which affects hundreds of millions of people.
Then you can identify these systems which are those little tiny toothpicks which support the whole ecosystem, right?”
