After Sam Curry, Neiko Rivera, Justin Rhinehart, and Ian Carroll found over a dozen vulnerabilities on different car companies two years ago, the team of hackers and bug bounty hunters returned with a newfound vulnerability.
We’ve talked before about APIs and connected cars and how vulnerabilities in these APIs could allow bad actors to control the vehicle functions remotely. Today, we’re going to talk about a new vulnerability uncovered to this effect that specifically affects KIAs.
The kicker? All the attacker would need for remote access is a license plate.
The vulnerability lies on the backend API that KIA dealers use when a new vehicle is purchased.
The backend API can be used to access employee-only functions whose functionality is exposed through Javascript on the KIA dealers’ website.
An attacker could map these functions and access them through the API gateway. They could then manage vehicle ownership including taking over functions reserved for the owner. Some examples of these functions include unlocking the vehicle and making it honk.
The only information required to launch this attack is the VIN number of the vehicle. Using a third-party API, the VIN could be retrieved through the license plate.
KIA uses a reverse proxy to access the dealers’ API. This API allows activation of a new user account for a KIA customer with a new vehicle or for them to add a new vehicle to an existing account through the activation link.
The KIA dealer website exposes employee-only functionality through Javascript, though you need an active session to access them. The backend API endpoint requested by the proxy can be found in a request header, which looks something like this:
Proxy endpoint the user hits: /apps/services/kdealer/apigwServlet.html
API endpoint the proxy “proxies” to: Apiurl: /path/to/endpoint
To test this out, Sam Curry and the other researchers tried to register a dealer through the API URL. They were successful and managed to login and gain a valid session that could be used to manage vehicle ownership.
Essentially, through accessing and creating a dealer account, an attacker could manage the customer’s account, and perform actions such as adding or removing owners. Using this dealer account and a third party API, they could resolve a license plate to request a VIN number.
Then, with the VIN number, they can perform further privileged actions such as honking, unlocking, and even more. So effectively, all they need is the car’s license plate, since the VIN can be retrieved using the license plate.
KIA has since responded to the researchers, and although it took them a few weeks of investigating, they resolved the issues as of August 2024. However, without notice from the researchers, KIA may never have discovered these issues in the first place. It’s important to note that vulnerabilities like these are not uncommon, not only in cars, but in many devices and applications we use in our day to day life. To quote Hyppönen’s law, if it’s smart, it’s vulnerable.
Of course, the risks posed by connected car API vulnerabilities are especially high-value risks as they affect safety and ownership of an expensive asset. And just because KIA has fixed this issue, does not mean that they or other car companies are immune from vulnerabilities like this one in the future.
What makes these vulnerabilities especially worrying is that the average customer has very limited (if any) knowledge about APIs and would never know if the vulnerabilities were being exploited. All companies have a responsibility to the customer to be continually checking their API security from all angles to avoid attacks like these being possible. Platforms like FireTail can help companies of all sizes that use APIs with their API security posture.
To learn more about API security or see how FireTail can help you secure your APIs, schedule a demo or start a free trial with us today!