Full Report
Two years ago, Sam Curry and friends released one of the most banger blog posts ever - hacking every car company. After some time, they decided to come back to see if things had changed. This time, they took a look at Kia. Originally, they had focused on owners.kia.com and the Kia iOS app because they can remotely execute commands. The owners website used a backend reverse proxy to forward user commands to api.owners.kia.com whereas the mobile app talked to this directly. This time around, they decided to tackle the problem from the dealers side. From talking with friends, they learned that Kia would ask for an email at the dealership and you'd receive a registration link for a new Kia account or add the car to your pre-existing account. They got the actual link from a friend and started playing around with it. The linking request contained a vin and a token known as the Vin Key. This key is an access token generated by the Kia dealer for a one-time grant to modify the vehicle information. Under the hood, this was using the same API at owners.kia.com but once again through a reverse proxy. They were curious if more functionality existed on this API than they knew about. After digging through the JavaScript they found a function used for looking up accounts and vehicles that appeared to be employee-only functionality. Trying to interact with this endpoint returned an error relating to not having a proper access token. So, what if we can register on the dealer website? They copied the format from other endpoints relating to users and it just worked on the dealer website! They logged into the dealer website to generate a dealer token and it actually worked. With this, they went through the JavaScript to understand the functionality that had been unlocked. They could search for car information based upon a VIN number. What they wanted though was to remotely takeover the car! From sifting through JavaScript they found a chain of 7ish API calls that allowed them to execute commands on the car. This was a user lookup, and attacker account linking to their account and finally executing the commands. This affects every Kia made after 2013. Neat! They rented a car to see this work, which is hilarious. Like this one, many of the coolest vulnerabilities come from deep recon and understanding your target well. The idea of changing endpoints for the registration request seems simple but getting there was complicated. Mitigating this doesn't seem very trivial but the timeline of 2 months seems too long. Good write up!
Analysis Summary
# Vulnerability: Remote Vehicle Takeover via Kia Dealer API Flaws
## CVE Details
- **CVE ID**: Not Assigned (Disclosed via bug bounty/coordinated disclosure)
- **CVSS Score**: Estimated 9.1 (Critical)
- **CWE**: CWE-287 (Improper Authentication), CWE-639 (Authorization Bypass Through User-Controlled Key)
## Affected Systems
- **Products**: Kia Vehicles equipped with remote hardware/telematics.
- **Versions**: Most models manufactured after 2013.
- **Configurations**: Vehicles do not require an active Kia Connect subscription to be vulnerable; hardware presence is the only requirement. Affected models include (but are not limited to) 2024-2025 Sportage, Sorento, EV6, EV9, Soul, Carnival, and K5.
## Vulnerability Description
The vulnerability stems from a series of flawed authentication and authorization checks within Kia's dealer-facing APIs (`kiadotcom` and related dealer portals).
1. **Improper Registration Logic**: Attackers could self-register a "dealer" account on the internal Kia dealer portal by mimicking the request structure used for standard user registration.
2. **Broken Access Control**: Once registered as a dealer, attackers gained access to employee-only endpoints.
3. **Information Leakage**: Using a vehicle's VIN, the dealer API allowed the retrieval of sensitive owner information (name, email, phone number).
4. **Authorization Bypass**: Attackers could utilize a four-step API chain to:
* Generate a dealer token.
* Lookup victim account details via VIN.
* Demote the legitimate owner's permissions.
* Add the attacker as the primary account holder on the vehicle.
## Exploitation
- **Status**: PoC available (demonstrated by researchers); Kia validates it was not exploited in the wild.
- **Complexity**: Medium (Requires understanding of specific API chains and JS-heavy recon).
- **Attack Vector**: Network (Remote execution over the internet).
- **Entry Point**: A license plate number (which is converted to a VIN via third-party APIs).
## Impact
- **Confidentiality**: High (Access to owner's full name, email, phone, and physical address).
- **Integrity**: High (Ability to modify vehicle permissions and add unauthorized users).
- **Availability**: High (Ability to remotely execute commands: Start/Stop engine, Lock/Unlock, Horn/Lights, and Tracking).
## Remediation
### Patches
- **Vendor Fix**: Kia remediated the vulnerable API endpoints and dealer registration logic as of August 14, 2024. No owner action (such as a dealership visit) is required as the fix was implemented on the backend.
### Workarounds
- No manual workarounds were available prior to the patch, as the flaw existed in the infrastructure rather than the vehicle firmware locally.
## Detection
- **Indicators of Compromise**: Unexpected "Secondary User" or changed "Primary User" alerts in the Kia Connect app.
- **Detection Methods**: Kia reviewed backend logs to validate that the specific API chain discovered by the researchers was not utilized by malicious actors prior to the fix.
## References
- **Researcher Write-up**: hxxps://samcurry[.]net/posts/hacking-kia
- **Vendor Site**: hxxps://owners[.]kia[.]com