Kia Dealer Portal Vulnerability Risked Millions of Cars

Addressing a Critical Security Vulnerability in Kia Cars

Kia recently took swift action to patch a serious security vulnerability that posed a significant risk to its vehicles and users. The vulnerability, discovered in the Kia dealer portal, allowed malicious actors to access personal information of victims and potentially take control of the target vehicle.

Security Researcher Uncovers Critical Flaw

Security researcher Sam Curry shed light on a critical vulnerability that threatened the security of Kia cars. The flaw could be exploited by an attacker using the vehicle’s license plate to gain unauthorized access to the car’s system through the Kia dealer portal.

By leveraging this vulnerability, the attacker could execute a range of commands, including unlocking the car, starting or stopping the engine, and more, putting the vehicle at risk of theft. Additionally, the attacker could access the vehicle owner’s personal information and even add themselves as a secondary owner without the victim’s knowledge.

The vulnerability affected Kia’s domain “kiaconnect.kdealer.com,” the dealer portal used for vehicle registration. An adversary could register a dealer account on this domain and generate access tokens for vehicle registration.

Curry and the research team were able to register a dealer account using a similar HTTP request used for the Kia Owner’s website, “owners.kia.com.” This allowed them to access the vehicle owner’s information, such as name, contact number, and email address, by calling the backend dealer APIs.

Furthermore, the researchers could access endpoints related to vehicle enrollments and modifications, granting them control over the target vehicle’s system and the ability to send commands to the vehicle.

The researchers detailed their findings in a post, accompanied by a demonstration video showcasing the exploit.

This security vulnerability posed a threat to Kia vehicles, regardless of an active Kia Connect subscription, expanding the potential impact. The researchers also compiled a list of affected vehicles for reference.

Upon discovering the vulnerability, the researchers promptly notified Kia in June 2024 and even developed a tool to demonstrate the exploit. Kia took swift action and confirmed the flaw had been patched by August 2024, as validated by the researchers.

We invite you to share your thoughts in the comments below.