Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Millions of Kia cars could have been hacked due to dealer software portal flaw

.

A vulnerability in a piece of software could have allowed hackers to discover, unlock, and start any Kia vehicle built after 2013, experts have warned.

The news was broken by cybersecurity researcher and bug bounty hunter Sam Curry, previously known for finding similar flaws in 15 million Ferraris, BMWs, Porches, and other vehicles.

Curry found a way to grab tokens from the Kia website, which gave him access to a lot of things. After registering an account on the Kia dealership site and logging in, the site gave Curry a token that allowed him access to backend dealer APIs. There, with nothing more than license plate numbers, he is able to find the location of any Kia car built after 2013, unlock it, honk, start, or stop it completely.

Exposing private data

Furthermore, the token gives him access to plenty of sensitive customer information: full names, phone numbers, email addresses, and postal addresses. Curry was also able to add himself as a second user on any of the vehicles, without the first user knowing.

"The HTTP response contained the vehicle owner's name, phone number, and email address. We were able to authenticate into the dealer portal using our normal app credentials and the modified channel header," Curry said.

Soon after reporting his findings to the company, Kia patched the hole up: "These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously," Curry concluded.

Ever since software was introduced in personal cars, privacy became a major pain point. Most car makers, including Toyota, or Mercedes, have had data-related incidents in the past.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.