Kia cars had a vulnerability that allowed them to be remotely controlled using only license plate information



It has been revealed that Kia Motors has a vulnerability that allows remote control of the vehicle simply by obtaining the license plate number or symbol. The vulnerability could be exploited to allow an attacker to perform operations such as unlocking the vehicle, honking the horn, displaying the vehicle's location, and obtaining the owner's name, address, email address, etc.

Hacking Kia: Remotely Controlling Cars With Just a License Plate

https://samcurry.net/hacking-kia

The vulnerability was discovered by a research team led by security experts Neiko Rivera and Sam Curry . The research team used the Kia Motors' vehicle registration page for new car buyers as a starting point to analyze the vulnerability, which allowed attackers to remotely control the target vehicle using the dealer's API by simply entering the license plate information of the target vehicle.



The research team created a tool called 'KIAtool' to demonstrate the vulnerability, which allows users to perform various operations by inputting the license plate information of the target vehicle.



You can see how to remotely control a car using KIAtool with a smartphone in the following movie.

Kiatool Demo - YouTube


Enter license plate information into KIAtool.



After waiting about 30 seconds, you will be able to control the device remotely. You can also tap 'Fetch Owner' to display the owner's name, address, email address, phone number, etc.



The KIAtool vehicle operation screen looks like this. Buttons such as 'Lock', 'Unlock', 'Hone the horn', and 'Check location information' are lined up.



The video shows how to actually unlock it.



Location information can also be obtained.



You can also honk the horn.



The researchers reported the vulnerability to Kia Motors, who have since patched it. However, they warned that similar vulnerabilities could emerge in the future, pointing out that 'just as Meta's changes to Facebook's code allowed for account takeovers, new vulnerabilities could appear when automakers release software updates.'

in Ride,   Security, Posted by log1o_hf