{"id":52497,"date":"2024-10-28T08:47:39","date_gmt":"2024-10-28T12:47:39","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=52497"},"modified":"2024-10-28T08:47:39","modified_gmt":"2024-10-28T12:47:39","slug":"tracking-and-hacking-kia-cars-via-internet","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/tracking-and-hacking-kia-cars-via-internet\/52497\/","title":{"rendered":"How millions of Kia cars could be tracked"},"content":{"rendered":"

A group of security researchers discovered<\/a> a serious vulnerability in the web portal of the South Korean car manufacturer Kia, which allowed cars to be hacked remotely and their owners tracked. To carry out the hack, only the victim\u2019s car license plate number was needed. Let\u2019s dive into the details.<\/p>\n

Overly connected cars<\/h2>\n

If you think about it, in the last couple of decades, cars have essentially become big computers on wheels. Even the less \u201csmart\u201d models are packed with electronics and equipped with a range of sensors \u2014 from sonars and cameras to motion detectors and GPS.<\/p>\n

And not only that; in recent years, these computers have been constantly connected to the internet \u2014 with all the ensuing risks. Not long ago, we wrote about how today\u2019s cars collect huge amounts of data about their owners<\/a> and send it to the manufacturer. Moreover, the manufacturers also sell this collected data to other companies<\/a> \u2014 particularly insurers.<\/p>\n

However, there\u2019s another side to this issue: being constantly connected to the internet means that, if there are vulnerabilities \u2014 either in the car itself or in the cloud system it communicates with \u2014 someone could exploit them to hack the system and track the car\u2019s owner without the manufacturer even knowing.<\/p>\n

\"Car<\/a>

The so-called \u201chead unit\u201d of a car is just the tip of the iceberg; in fact, today\u2019s cars are stuffed with electronics<\/p><\/div>\n

One bug to rule them all, one bug to find them<\/h2>\n

This is exactly what happened in this case. Researchers found a vulnerability in Kia\u2019s web portal, which is used by Kia owners and dealers. It turned out that by using the API, the portal allowed anyone to register as a car dealer with just a few fairly simple moves.<\/p>\n

\"Kia<\/a>

The Kia portal in which a serious vulnerability was discovered. Source<\/a><\/p><\/div>\n

This gave the attacker access to features that even car dealers shouldn\u2019t have \u2014 at least, not once the vehicle has been handed over to the customer. Specifically, the portal permits first finding any Kia car, and then accessing the owner\u2019s data (name, phone number, email address, and even physical address) \u2014 all with just the vehicle\u2019s VIN number.<\/p>\n

It should be noted that VIN numbers aren\u2019t exactly secret information \u2014 in some countries, they\u2019re publicly available. For instance, in the USA there are many online services<\/a> you can use to look up a VIN number using a car\u2019s license plate number.<\/p>\n

\"Diagram:<\/a>

A general scheme of the Kia web portal attack, allowing control over any car using its VIN number. Source<\/a><\/p><\/div>\n

After successfully finding the car, the attacker can use the owner\u2019s data to register any attacker-controlled account in Kia\u2019s system as a new user for the vehicle. From there, the attacker would gain access to various functions normally available to the car\u2019s actual owner through the mobile app.<\/p>\n

What\u2019s particularly interesting is that all these features weren\u2019t just available to the dealer who sold that car, but to any dealer registered in Kia\u2019s system.<\/p>\n

Hacking a car in seconds<\/h2>\n

The researchers then developed an experimental app that could take control of any Kia vehicle within seconds simply by entering its license plate number into the input fields. The app would automatically find the car\u2019s VIN through the relevant service and use it to register the vehicle to the researchers\u2019 account.<\/p>\n

\"App<\/a>

The researchers even created a handy app to simplify hacking \u2014 all you need is the Kia car\u2019s license plate number. Source<\/a><\/p><\/div>\n

After that, a single button press in the app would allow the attacker to obtain the vehicle\u2019s current coordinates, lock or unlock the doors<\/a>, start or stop the engine, or honk the horn.<\/p>\n

\"Hacking<\/a>

The app could be used to obtain the hacked car\u2019s coordinates and send commands. Source<\/a><\/p><\/div>\n

It\u2019s important to note that in most cases these functions wouldn\u2019t be enough to steal the car. Modern models are usually equipped with immobilizers, which require the physical presence of the key to be disabled. There are some exceptions, but generally these are the cheapest cars that are unlikely to be of much interest to thieves.<\/p>\n

Nevertheless, this vulnerability could easily be used to track the car owner, steal valuables left inside the car (or plant something there), or simply disrupt the driver\u2019s life with unexpected actions from the vehicle.<\/p>\n

The researchers followed responsible disclosure protocol, informing the manufacturer of the issue and only publishing their findings after Kia fixed the bug. However, they note that they\u2019ve found <\/a>similar vulnerabilities before and are confident they\u2019ll continue to discover more in the future.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

A vulnerability in Kia’s web portal made it possible to hack cars and track their owners. All you needed was the car’s VIN number or just its license plate number.<\/p>\n","protected":false},"author":2706,"featured_media":52498,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1788,1789,2683],"tags":[542,651,730,82,43,192,97,768,422,812,268],"class_list":{"0":"post-52497","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"category-technology","9":"category-threats","10":"tag-car-hacking","11":"tag-cars","12":"tag-connected-cars","13":"tag-hacking","14":"tag-privacy","15":"tag-protection","16":"tag-security-2","17":"tag-surveillance","18":"tag-threats","19":"tag-tracking","20":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/tracking-and-hacking-kia-cars-via-internet\/52497\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/tracking-and-hacking-kia-cars-via-internet\/28213\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/tracking-and-hacking-kia-cars-via-internet\/23468\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/tracking-and-hacking-kia-cars-via-internet\/12134\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/tracking-and-hacking-kia-cars-via-internet\/28353\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/tracking-and-hacking-kia-cars-via-internet\/27773\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/tracking-and-hacking-kia-cars-via-internet\/30513\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/tracking-and-hacking-kia-cars-via-internet\/29267\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/tracking-and-hacking-kia-cars-via-internet\/38443\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/tracking-and-hacking-kia-cars-via-internet\/12916\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/tracking-and-hacking-kia-cars-via-internet\/22339\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/tracking-and-hacking-kia-cars-via-internet\/23104\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/tracking-and-hacking-kia-cars-via-internet\/31742\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/tracking-and-hacking-kia-cars-via-internet\/28434\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/tracking-and-hacking-kia-cars-via-internet\/34307\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/tracking-and-hacking-kia-cars-via-internet\/33934\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cars\/","name":"Cars"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52497","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=52497"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52497\/revisions"}],"predecessor-version":[{"id":52507,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52497\/revisions\/52507"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/52498"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=52497"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=52497"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=52497"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}