Kia promises bug never exploited. But even 10-year-old cars were  vulnerable.

Connected Cars Considered Crud

What’s the craic? Andy Greenberg reports: Millions of Vehicles Could Be Hacked and Tracked

“Security for vehicles is very poor”
Security researchers revealed that they’d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles. … They were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.
…
[The] flaw also allowed hackers to query a broad range of personal information about Kia customers—names, email addresses, phone numbers, home addresses, and even past driving routes in some cases—a potentially massive data leak. [It] works by exploiting a relatively simple flaw in the backend of Kia’s web portal. … They found that there was nothing preventing them from accessing the privileges of a Kia dealer.
…
Kia appears to have fixed the vulnerability … but Kia’s patch is far from the end of the car industry’s web-based security problems, the researchers say: … “The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor.”

How did it work? Sergiu Gatlan adds: Kia dealer portal flaw could let attackers hack millions of cars

“Critical details”
The Kia web portal flaws allowed silent, unauthorized access to a vehicle. … The researchers registered a dealer account on Kia’s kiaconnect.kdealer.com dealer portal to gain access.
…
Once authenticated, they generated a valid access token that gave them access to backend dealer APIs, giving them critical details about the vehicle owner and full access to the car’s remote controls. … Attackers could use the backend dealer API to … modify the owner’s access permissions [and] add an attacker-controlled email to the victim’s vehicle.

Horse’s mouth? Neiko Rivera, Sam Curry, Justin Rhinehart and Ian Carroll: Hacking Kia

“Never exploited maliciously”
On June 11th, 2024, we discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate … in about 30 seconds, regardless of whether it had an active Kia Connect subscription. … Four HTTP requests could be used to send commands to pretty much any Kia vehicle made after 2013.
…
From the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified. An attacker could resolve someone’s license plate, enter their VIN through the API, then track them passively and send active commands.
…
The impact here was really obvious to us and we reported it to Kia immediately. … The Kia team has validated this was never exploited maliciously.

A you feeling déjà vu? MMarsh is, too:

We’re hearing variants of this story way too often. Last time it was GM OnStar data ending up in the hands of data brokers. Before that it was Chrysler products letting hackers … inject falsified packets onto the CAN bus saying things like, “Hey ABS controller, I’m a wheel speed sensor, my wheel is locked so please release my brake.”
…
There should be a regulatory requirement stating:
1. Each hardware device capable of transmitting data outside of the car must have a dedicated fuse. …
2. Pulling that fuse must not cause any … adverse effects. …
3. No company should be allowed to demand access to “connected car” data from any person for any reason.

How does this keep happening? jmyeet asks the big questions:

Where’s the strict product liability here? Like, if Kia is making a car that’s easy to [unlock], why isn’t that Kia’s fault and they’re responsible for the damages? We’re talking gross negligence here.
…
This should 100% be the responsibility of the car maker. Why do we let these companies get away with poor security? It’s well beyond time we hold them financially and legally responsible for foreseeable outcomes from poor security practices.

Do we even need these connected features? theOtherJT requests that you exit the grassed area:

Yet another reason to keep old cars running. My current daily is … nearly 20 years old. … There is precisely zero need for it to be connected to the internet to do anything. I get in and out by walking up to it, getting the key out, pressing the button on the key.
…
I keep thinking, “It’s really old, I should replace it.” But why? What on earth would I be getting — other than better fuel economy — that I actually want?

Who could have seen this coming? u/worlds_okayest_user feels like this is a “told ya so” moment:

Society has gotten too comfortable with “app-iyfing” everything. When car makers started offering remote start/unlock by phone app, people were amazed. Personally, I was horrified and thought about all the security implications. Even going back to the OnStar days, the thought of remotely unlocking the car doors seemed like a bad idea.

And, in a similar vein, here’s RitchCraft:

You thought ClownStrike was bad? You haven’t seen anything yet. Carpocalypse is only matter of time, not if, but when. Connecting cars to the Internet is just asking for it.

Meanwhile, randomstring takes this to its illogical conclusion:

The obvious next step is to crawl the whole database of vulnerable Kia cars and create a “ride share” app that shows you the nearest Kia and unlocks it for you.

And Finally:

Scammers gonna scam

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: DennisM2 (cc:0; leveled and cropped)