Kia has found and fixed a leak in its Web site. Researchers could enter license plates there and gain the ability to remotely take over, turn on and track cars.
A group of researchers discovered a leak while checking Kia’s website in June of this year. Customers can register their car through a web portal to turn on or off online features themselves (or through car dealers). That web portal contained a leak. The researchers were able to perform an API call, a capability normally reserved only for distributors.
How dangerous was the leak for drivers?
When researchers entered the vehicle identification number, they were presented with a resembling user data via the API. With that data, the researchers could declare themselves as the primary account owner. This gave them all the same capabilities as customers and distributors. They could remotely unlock the vehicle, lock it and obtain its location. Even turning the engine and camera on or off was no problem. This was possible with every KIA car produced after 2013, according to Wired.
read also
Kia closes dangerous leak that gave potential hackers control of your car
To facilitate the process, the researchers developed a tool that allowed them to automatically look up the identification number via an entered license plate. That way, they could send commands directly. When Kia was informed of the leak in June, they immediately plugged it. According to the automaker, the leak would never have been used by rogue hackers.
Kia got to put out another fire in the US last year. In the American city of Columbus last summer, cars were also regularly stolen by “The Kia Boys. Through a USB-A port under the steering wheel, the engine could be started. The YouTube video has already been viewed more than six million times. Instead of reselling the cars illegally, the teens used them only for joyrides.