Vulnerable U
Posts
Hacking 15M+ Cars With Just Their License Plate

Hacking 15M+ Cars With Just Their License Plate

Matt Johansen
September 26, 2024

Why it matters: Security flaws in Kia vehicles enable unauthorized control over critical functions using just a license plate.

The big picture: Discovered in June 2024, these vulnerabilities allow attackers to unlock doors and obtain personal data of vehicle owners without their knowledge.

Key details:

Affected models: Multiple Kia vehicles, including 2025 and earlier models.
Execution time: Attacks can be launched in under 30 seconds.
Impact: Attackers could silently add themselves as users to victims’ vehicles.

What’s being done: Kia has addressed the vulnerabilities and confirmed no malicious exploitation occurred.

The bottom line: Historicaly car hacking has been done in complicated ways involving the car’s electronics systems. This was an old fashioned web app bug that allowed broad control over vehicles.

Zooming In: Sam Curry has been on a tear this year as an avid web hacker and bug bounty hunter. We recently covered his research that found a SQL Injection flaw in a critical TSA website that allowed him to add people to the “Known Crew Member” database and bypass security checkpoints, potentially accessing the cockpit of planes.

Further Credit: Sam published the research on his blog but gives additional researchers credit for this:

Neiko Rivera (https://twitter.com/_specters_)
Sam Curry (https://twitter.com/samwcyo)
Justin Rhinehart (https://twitter.com/sshell_)
Ian Carroll (https://twitter.com/iangcarroll)

The full writeup: Check out Sam’s blog on this here. He goes through his whole research process.

The Attack:

Timeline:

06/07/24 04:40 PM UTC - Inquiry sent to Kia team on correct place to report vulnerabilities
06/10/24 01:21 PM UTC - Response by Kia Team
06/11/24 10:41 PM UTC - Report sent to Kia
06/12/24 06:20 PM UTC - Email to bump ticket due to criticality
06/14/24 06:00 PM UTC - Response from Kia team that they were investigating
06/18/24 04:41 PM UTC - Email to bump ticket due to criticality, added screenshots of tool
06/20/24 02:54 AM UTC - Email to bump ticket, included screenshot of license plate to access tool
08/12/24 12:30 PM UTC - Email to bump ticket, asking for update
08/14/24 05:41 PM UTC - Response from Kia team indicating they had remediated the vulnerability and were performing testing
09/26/24 08:15 AM UTC - Disclosed vulnerability publicly after validating it had been remediated

Woah. Millions of cars can be hacked just by knowing the license plate number.
This is done through a simple web app bug too, no complicated car hacking involved.
I also don't think it's fixed yet... 🧵
— Matt Johansen (@mattjay)
2:55 PM • Sep 26, 2024

mattjayy
View more on Instagram