I hope you don't drive a KIA. This is actually a failure of post manufacturing security processes, not that it makes things any better:
Sam Curry, who previously demonstrated remote takeover vulnerabilities in a range of brands – from Toyota to Rolls Royce – found this vulnerability in vehicles as old as model year 2014. The mess means the cars can be geolocated, turned on or off, locked or unlocked, have their horns honked and lights activated, and even have their cameras accessed – all remotely.
...
The issue originated in one of the Kia web portals used by dealerships. Long story short and a hefty bit of API abuse later, Curry and his band of far-more-capable Kia Boyz managed to register a fake dealer account to get a valid access token, which they were then able to use to call any backend dealer API command they wanted.
"From the victim's side, there was no notification that their vehicle had been accessed nor their access permissions modified," Curry noted in his writeup. "An attacker could resolve someone's license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk."
Security wags have long called this sort of architecture "broken by design" - it was intentionally set up to allow privileged access via a poorly authenticated system that has to scale through a big organization. I don't have much confidence that KIA can fix this, or that they will likely want to.
And oh yeah - there's a smartphone app to help the Bad Guys.
All I can say is that 1968 Goat isn't vulnerable to this attack, and will never be.
1 comment:
Car theft is lucrative, and the best way to punish those caught in the process is hanging.
Post a Comment