{"id":8663,"date":"2024-09-28T08:18:58","date_gmt":"2024-09-28T15:18:58","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=8663"},"modified":"2024-09-28T08:18:58","modified_gmt":"2024-09-28T15:18:58","slug":"flaw-in-kias-web-portal-let-researchers-track-hack-cars","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2024\/09\/28\/flaw-in-kias-web-portal-let-researchers-track-hack-cars\/","title":{"rendered":"Flaw in Kia\u2019s Web Portal Let Researchers Track, Hack Cars"},"content":{"rendered":"\n<p>And this is exactly why internet connected cars is a bad idea (story below). Not only is it a tracking and control avenue for when they get super serious about &#8220;saving&#8221; the planet and limiting what you can do in your vehicle, but they&#8217;re just terrible at security. And I&#8217;m no expert, but from a previous video I watched on how expensive it was to fix a Ford pickup, there was a communications bus used by all the vehicle&#8217;s systems which could lead to all kinds of hacking avenues, with some possibly leading to expensive repairs. I personally would disable internet connectivity if purchasing a new vehicle, and research if that will cause my check engine light to come on.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Repair Cost Are Out of Control: $5,600 Bill for Some Tail Lamps?!\" width=\"1290\" height=\"726\" src=\"https:\/\/www.youtube.com\/embed\/MUkFsuilVD0?start=513&#038;feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><a href=\"https:\/\/arstechnica.com\/cars\/2024\/09\/flaw-in-kia-web-portal-let-researchers-track-hack-cars\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/arstechnica.com\/cars\/2024\/09\/flaw-in-kia-web-portal-let-researchers-track-hack-cars\/<\/a><\/p>\n\n\n<div class=\"wp-block-ub-divider ub_divider ub-divider-orientation-horizontal\" id=\"ub_divider_020baa56-d07e-4667-8dc6-b6e5ca96e777\"><div class=\"ub_divider_wrapper\" style=\"position: relative; margin-bottom: 2px; width: 100%; height: 2px; \" data-divider-alignment=\"center\"><div class=\"ub_divider_line\" style=\"border-top: 2px solid #ccc; margin-top: 2px; \"><\/div><\/div><\/div>\n\n\n<h5 class=\"wp-block-heading\">Bug let researchers track millions of cars, unlock doors, and start engines at will.<\/h5>\n\n\n\n<p>By Andy Greenberg<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/carhack-800x571.jpg\" alt=\"car center console with the word HACKED\"\/><figcaption class=\"wp-element-caption\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/carhack.jpg\">Enlarge<\/a>Chesky_w via Getty<\/figcaption><\/figure>\n\n\n\n<p>When security researchers in the past found ways to hijack vehicles&#8217; Internet-connected systems, their proof-of-concept demonstrations tended to show, thankfully, that hacking cars is hard. Exploits like the ones that hackers used to remotely take over a <a href=\"https:\/\/www.wired.com\/2015\/09\/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars\/#:~:text=7%3A00%20AM-,GM%20Took%205%20Years%20to%20Fix%20a%20Full%2DTakeover%20Hack,known%20remote%20car%20hacking%20technique.\">Chevrolet Impala in 2010<\/a> or a <a href=\"https:\/\/www.wired.com\/2015\/07\/hackers-remotely-kill-jeep-highway\/\">Jeep in 2015<\/a> took years of work to develop and required ingenious tricks: reverse engineering the obscure code in the cars\u2019 telematics units, delivering malicious software to those systems via audio tones played over radio connections, or even putting a disc with a malware-laced music file into the car\u2019s CD drive.<\/p>\n\n\n\n<p>This summer, one small group of hackers demonstrated a technique to hack and track millions of vehicles that\u2019s considerably easier\u2014as easy as finding a simple bug in a website.<\/p>\n\n\n\n<p>Today, a group of independent security researchers <a href=\"https:\/\/samcurry.net\/hacking-kia\">revealed<\/a> that they&#8217;d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the Internet-connected features of most modern Kia vehicles\u2014dozens of models representing millions of cars on the road\u2014from the smartphone of a car\u2019s owner to the hackers\u2019 own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle\u2019s license plate and within seconds gain the ability to track that car\u2019s location, unlock the car, honk its horn, or start its ignition at will.<\/p>\n\n\n\n<p>After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group\u2019s findings and hasn\u2019t responded to WIRED\u2019s emails since then. But Kia\u2019s patch is far from the end of the car industry\u2019s web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they\u2019ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias&#8217; digital systems last year. And those bugs are just two among a <a href=\"https:\/\/samcurry.net\/web-hackers-vs-the-auto-industry\">slew of similar web-based vulnerabilities they\u2019ve discovered within the last two years<\/a> that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.<\/p>\n\n\n\n<p>\u201cThe more we\u2019ve looked into this, the more it became very obvious that web security for vehicles is very poor,\u201d says Neiko \u201cspecters\u201d Rivera, one of the researchers who both found the latest Kia vulnerability and worked with a larger group responsible for the previous collection of web-based car security issues revealed in January of last year.<\/p>\n\n\n\n<p>\u201cOver and over again, these one-off issues keep popping up,\u201d says Sam Curry, another member of the car hacking group, who works as a security engineer for Web3 firm Yuga Labs but says he did this research independently. \u201cIt&#8217;s been two years, there&#8217;s been a lot of good work to fix this problem, but it still feels really broken.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Read a license plate, hack a car<\/h2>\n\n\n\n<p>Before they alerted Kia to its latest security vulnerability, the research group tested their web-based technique on a handful of Kias\u2014rentals, friends\u2019 cars, even cars on dealer lots\u2014and found that it worked in every case. They also showed the technique to WIRED, demonstrating it on the 2020 Kia Soul of a security researcher introduced to them just minutes earlier in a parking lot in Denver, Colorado, as seen in the video above.<\/p>\n\n\n\n<p>The group\u2019s web-based Kia hacking technique doesn\u2019t give a hacker access to driving systems like steering or brakes, nor does it overcome the so-called immobilizer that prevents a car from being driven away, even if its ignition is started. It could, however, have been combined with immobilizer-defeating techniques popular among car thieves or used to steal lower-end cars that don&#8217;t have immobilizers\u2014<a href=\"https:\/\/www.motortrend.com\/news\/hyundai-fixing-kia-boys-theft-security-vulnerability-free\/\">including some Kias.<\/a><\/p>\n\n\n\n<p>Even in cases when it didn&#8217;t allow outright theft of a car, the web flaw could have created significant opportunities for theft of a car&#8217;s contents, harassment of drivers and passengers, and other privacy and safety concerns.<\/p>\n\n\n\n<p>\u201cIf someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car,\u201d says Curry. \u201cIf we hadn\u2019t brought this to Kia\u2019s attention, anybody who could query someone\u2019s license plate could essentially stalk them.\u201d For Kias that come installed with a 360-degree camera, that camera, too, was accessible to hackers. Beyond allowing the hijacking of connected features in cars themselves, Curry says, the web portal flaw also allowed hackers to query a broad range of personal information about Kia customers\u2014names, email addresses, phone numbers, home addresses, and even past driving routes in some cases\u2014a potentially massive data leak.<\/p>\n\n\n\n<p>The Kia hacking technique the group found works by exploiting a relatively simple flaw in the backend of Kia&#8217;s web portal for customers and dealers, which is used to set up and manage access to its connected car features. When the researchers sent commands directly to the API of that website\u2014the interface that allows users to interact with its underlying data\u2014they say they found that there was nothing preventing them from accessing the privileges of a Kia dealer, such as assigning or reassigning control of the vehicles&#8217; features to any customer account they created. \u201cIt\u2019s really simple. They weren&#8217;t checking if a user is a dealer,\u201d says Rivera. \u201cAnd that&#8217;s kind of a big issue.\u201d<\/p>\n\n\n\n<p>Kia&#8217;s web portal allowed lookups of cars based on their vehicle identification number (VIN). But the hackers found they could quickly find a car&#8217;s VIN after obtaining its license plate number using the website PlateToVin.com.<\/p>\n\n\n\n<p>More broadly, Rivera adds, any dealer using the system seemed to have been trusted with a shocking amount of control over which vehicles&#8217; features were linked with any particular account. \u201cDealers have way too much power, even over vehicles that don\u2019t touch their lot,\u201d Rivera says.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">A dozen carmakers\u2019 websites, millions of hackable cars<\/h2>\n\n\n\n<p>Curry and Rivera, who worked with two other researchers to develop their hacking technique, reported their findings to Kia shortly after demonstrating them to WIRED in June, and the company responded to an inquiry from WIRED to note that it was investigating their findings. \u201cWe take this matter very seriously, and value our collaboration with security researchers,\u201d a spokeperson wrote.<\/p>\n\n\n\n<p>Shortly after the researchers reported the issue, Kia did make a change to its web portal API that appeared to block their technique, the researchers say. Then, in August, Kia told the researchers it had validated their findings but was still working on implementing a permanent fix for the problem. Kia hasn&#8217;t updated the researchers since or responded to WIRED&#8217;s questions. But after the standard 90-day window given to companies to fix security issues that researchers report, the hackers decided to go public with their findings\u2014though they haven&#8217;t released their Kia-hacking proof-of-concept application and don&#8217;t plan to.<\/p>\n\n\n\n<p>The Kia-hacking research group first began to assemble around the idea of probing carmakers&#8217; websites and APIs for vulnerabilities in late 2022. A few of them were staying with a friend on a college campus and messing around with the app for a mobile scooter company when they accidentally triggered all the company&#8217;s scooters across the campus to <a href=\"https:\/\/www.youtube.com\/watch?v=YRAy3wv5SCk&amp;t=4s\">honk and flash their lights for 15 minutes<\/a>. At that point, the group \u201cbecame super interested in trying more ways to make more things honk,\u201d as Curry would write\u2014including vehicles more significant than scooters. Soon after, Curry discovered that Rivera, who&#8217;d long been focused on car hacking and had previously worked at the carmaker Rivian, was already looking at web vulnerabilities in vehicle telematics.<\/p>\n\n\n\n<p>In January 2023, they published the initial results of their work, an <a href=\"https:\/\/samcurry.net\/web-hackers-vs-the-auto-industry\">enormous collection of web vulnerabilities<\/a> affecting Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, and Ferrari\u2014all of which they had reported to the automakers. For at least half a dozen of those companies, the web bugs the group found offered at least some level of control of cars&#8217; connected features, they wrote, just as in their latest Kia hack. Others, they say, allowed unauthorized access to data or the companies&#8217; internal applications. Still others targeted fleet management software for emergency vehicles and could have even prevented those vehicles from starting, they believe\u2014though they didn&#8217;t have the means to safely test out that potentially dangerous trick.<\/p>\n\n\n\n<p>In June of this year, Curry says, he discovered that Toyota appeared to still have a similar flaw in its web portal that, in combination with a leaked dealer credential he found online, would have allowed remote control of Toyota and Lexus vehicles&#8217; features like tracking, unlocking, honking, and ignition. He reported that vulnerability to Toyota and showed WIRED a confirmation email seeming to demonstrate that he&#8217;d been able to reassign himself control of a target Toyota&#8217;s connected features over the web. Curry didn&#8217;t film a video of that Toyota hacking technique before reporting it to Toyota, however, and the company quickly patched the bug he&#8217;d disclosed, even temporarily taking its web portal offline to prevent its exploitation.<\/p>\n\n\n\n<p>\u201cAs a result of this investigation, Toyota promptly disabled the compromised credentials and is accelerating security enhancements of the portal, as well as temporarily disabling the portal until enhancements are complete,\u201d a Toyota spokesperson wrote to WIRED in June.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">More smart features, more dumb bugs<\/h2>\n\n\n\n<p>The extraordinary number of vulnerabilities in carmakers&#8217; websites that allow remote control of vehicles is a direct result of companies&#8217; push to appeal to consumers\u2014particularly young ones\u2014with smartphone-enabled features, says Stefan Savage, a professor of computer science at UC San Diego whose research team was the first to <a href=\"https:\/\/ieeexplore.ieee.org\/document\/5504804\">hack a car&#8217;s steering and brakes over the Internet in 2010<\/a>. \u201cOnce you have these user features tied into the phone, this cloud-connected thing, you create all this attack surface you didn\u2019t have to worry about before,\u201d Savage says.<\/p>\n\n\n\n<p>Still, he says, even he is surprised at the insecurity of all the web-based code that manages those features. \u201cIt\u2019s a little disappointing that it\u2019s as easy to exploit as it has been,\u201d he says.<\/p>\n\n\n\n<p>Rivera says he&#8217;s observed firsthand in his time working in automotive cybersecurity that car companies often put more focus on \u201cembedded\u201d devices\u2014digital components in non-traditional computing environments like cars\u2014rather than web security, in part because updating those embedded devices can be far more difficult and lead to recalls. \u201cIt was clear ever since I started that there was a glaring gap between embedded security and web security in the auto industry,\u201d Rivera says. \u201cThese two things mix together very often, but people only have experience in one or the other.\u201d<\/p>\n\n\n\n<p>UCSD&#8217;s Savage hopes that the Kia-hacking researchers&#8217; work might help shift that focus. Many of the early, high-profile hacking experiments that affected cars&#8217; embedded systems, like the 2015 Jeep takeover and the 2010 Impala hack pulled off by Savage&#8217;s team at UCSD, persuaded automakers that they needed to better prioritize embedded cybersecurity, he says. Now car companies need to focus on web security too\u2014even, he says, if it means making sacrifices or changes to their process.<\/p>\n\n\n\n<p>\u201cHow do you decide, \u2018We\u2019re not going to ship the car for six months because we didn\u2019t go through the web code?\u2019 That\u2019s a tough sell,\u201d he says. \u201cI would like to think this kind of event causes people to look at that decision more fully.\u201d<\/p>\n\n\n\n<p><em>This story originally appeared on <a href=\"https:\/\/www.wired.com\/story\/kia-web-vulnerability-vehicle-hack-track\/\">wired.com<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>And this is exactly why internet connected cars is a bad idea (story below). Not only is it a tracking and control avenue for when they get super serious about &#8220;saving&#8221; the planet and limiting what you can do in your vehicle, but they&#8217;re just terrible at security. And I&#8217;m no expert, but from a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-8663","post","type-post","status-publish","format-standard","hentry","category-tech","category-world"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/8663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=8663"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/8663\/revisions"}],"predecessor-version":[{"id":8664,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/8663\/revisions\/8664"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=8663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=8663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=8663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}