September 27, 2024 at 07:03AM
Security researcher Sam Curry discovered vulnerabilities in a Kia owners’ website that could have enabled attackers to remotely control millions of cars. The issues allowed for harvesting personal information and creating a second user account without the owner’s knowledge. Kia acknowledged the flaws in June 2024 and implemented a fix in mid-August.
From the meeting notes, the key takeaways are as follows:
1. Security researcher Sam Curry discovered vulnerabilities in the Kia website dedicated to vehicle owners that could potentially allow attackers to remotely control millions of Kia cars.
2. The vulnerabilities could enable attackers to gain control of key vehicle functions using only the car’s license plate and harvest the victim’s personal information, such as name, address, email address, and phone number, without the owner’s knowledge.
3. The issues were reported to Kia in June 2024 and the carmaker acknowledged the flaws, implementing a fix in mid-August.
4. Curry and three other researchers were able to create a proof-of-concept dashboard that allowed an attacker to retrieve the owner’s personal information and start executing commands on the vehicle.
5. The vulnerabilities could be exploited to send commands to “pretty much any Kia vehicle made after 2013”.
The meeting also mentions related topics such as a ban sought for Chinese and Russian software and hardware used in autonomous vehicles on US roads, a second Pwn2Own automotive contest offering over $1 million in prizes, a warning issued by the EFF after the discovery of automated license plate reader vulnerabilities, and a new vehicle hack that exposes users’ private data via Bluetooth.