A severe security flaw in the web portal of car manufacturer Kia allowed security researchers to gain control over millions of vehicles. The vulnerability, discovered by a group of independent experts in June 2024, affected nearly all internet-connected Kia models from recent years.
The technical details of the hack reveal alarming shortcomings in the company’s IT security architecture, shining a spotlight on the cybersecurity challenges facing the automotive industry.
The primary entry point for the security researchers was the flawed authentication system in Kia’s dealer portal. They were able to register as dealers without proper verification, thereby gaining access to functions that should have been restricted to authorised dealers. By analysing the JavaScript code of the dealer website, the experts were able to trace and manipulate the structure of the API calls.
A critical weakness lay in the generation and use of session tokens. The Kia backend generated a “Sid Session ID” header for authentication with the backend API, which the researchers were able to replicate, producing valid session tokens. Particularly concerning was the fact that the system did not verify whether a user was actually authorised to access a specific vehicle.
This security flaw allowed the researchers to develop their own app, enabling them to send commands to any vehicle. They could locate vehicles by their registration number, unlock them, and even start the engine – all remotely and without any physical access to the vehicle.
In addition to controlling vehicle functions, the vulnerability also granted access to sensitive customer data, such as names, addresses, and even past driving routes. This posed a significant privacy risk, and could have been exploited by criminals for identity theft or targeted attacks.
Kia’s Response
After the vulnerability was discovered in June 2024, the researchers reported it to Kia in July, prompting the company to launch an internal investigation. Kia implemented security patches in August, and a public disclosure followed in September.
In an official statement, a Kia spokesperson said:
We take the security of our customers very seriously and have taken immediate action to resolve the identified vulnerability. Our investigations have shown that no customer data was compromised. We are continually working to improve our systems and prevent similar incidents in the future.
This case is part of a growing series of security issues among car manufacturers in recent years. Prof. Dr Michael Schmidt, a cybersecurity expert at TU Berlin, commented:
This case once again highlights the importance of integrating cybersecurity into the development process from the outset. It is not enough to secure only the vehicle systems – associated online services must also meet the highest security standards.
The automotive industry is working on new standards for the cybersecurity of connected vehicles.
The United Nations Economic Commission for Europe (UNECE) has already introduced regulations requiring manufacturers to implement a comprehensive cybersecurity management system. Kia has announced plans to further strengthen its security measures and collaborate closely with external security experts.
For Kia vehicle owners, experts recommend the following steps:
- Regularly install software updates
- Use strong, unique passwords for Kia accounts
- Enable two-factor authentication where available
- Be cautious when sharing vehicle data with third parties
As vehicles become increasingly connected and digitalised, the issue of cybersecurity in the automotive sector continues to grow in importance. Experts are calling for stricter regulations and greater investment in IT security to prevent similar incidents in the future.
The complexity of the hack highlights the importance of thorough security audits for web applications and APIs in the automotive sector. It underscores the need to comprehensively secure not just the vehicle systems themselves, but also the associated online services and infrastructures.
For vehicle owners, keeping their vehicle software up to date remains the best protection against known security flaws, while the industry continues to be tasked with improving security measures and adapting to new threats.
The article is primarily based on the following sources:
- Wired report on the Kia security vulnerability: https://www.wired.com/story/kia-hyundai-hack-millions-of-cars/
- Heise article on the security flaw at Kia: https://www.heise.de/news/Kia-Luecke-in-Webportal-erlaubte-Forschern-Fernzugriff-auf-Autos-9956342.html
- Blog post by the security researchers: https://samcurry.net/web-hackers-vs-the-auto-industry/
- BleepingComputer report featuring a statement from Sam Curry: https://www.bleepingcomputer.com/news/security/kia-fixes-bug-allowing-hackers-to-remotely-control-millions-of-cars/
- Nydus article with detailed technical information: https://nydus.org/news/132319-sicherheitslucken-bei-kia-ein-ruckblick-auf-den-hack.html