Critical Vulnerabilities Identified in Millions of Kia Vehicles
![Image [Zero-trust] architecture: comprehensive guide based on nist guidelines](https://incyber.org//wp-content/uploads/2024/05/incyber-news-cybersecurite-cybersecurity-tunnel-2-2024-885x690.jpg)
On September 20, 2024, four cybersecurity researchers published a report on critical vulnerabilities that could have led to the hacking of millions of Kia vehicles. Sam Curry, Neiko Rivera, Justin Rhinehart, and Ian Carroll identified several flaws on a website intended for owners of the Korean automaker’s vehicles.
By exploiting these vulnerabilities, the four researchers managed to compromise the website’s infrastructure and obtain a fraudulent authentication token. ‘The HTTP response contained the vehicle owner’s name, phone number, and email address. We were able to authenticate on the dealer portal using our usual credentials,’ they wrote.
This access could have allowed a cybercriminal to replace the customer’s email address and, in Kia’s eyes, become the legitimate owner of the car. They would only need to enter the vehicle’s registration number to take control of it. Several critical features would then have been available: unlocking, starting, or tracking the vehicle.
The researchers reported the flaws to Kia on June 11, 2024, and the automaker released a fix in mid-August 2024. Kia stated that they had not detected any exploitation of these vulnerabilities that led to the takeover of a vehicle.
Security researchers have shown that cybercriminals could have exploited these flaws to remotely take control of a vehicle.