User:JLin3012/sandbox

This is the user sandbox of JLin3012. A user sandbox is a subpage of the user's user page. It serves as a testing spot and page development space for the user and is not an encyclopedia article. Create or edit your own sandbox here.

Other sandboxes: Main sandbox | Template sandbox

Finished writing a draft article? Are you ready to request review of it by an experienced editor for possible inclusion in Wikipedia? Submit your draft for review!

Disciplinary Expertise: Cyber Security

Page: Automotive hacking

Content Gap: The incident of hacking into KIA

2024 Remotely control KIA cars through license plate

On June 11, 2024, a group of researchers lead by Sam Curry discovered a vulnerability in Kia’s web portal that allowed them to reassign control of the internet-connected features of any Kia vehicle manufactured after 2013^[1]. Although the vulnerability didn't permit the group to interact with the car’s driving systems, they built a custom application to target this vulnerability that enabled them to scan any “connected” vehicle’s license plate and track the car’s location, unlock the car, honk its horn, or start its ignition—all on command^[1]^[2]^[3]. These kinds of vulnerabilities are not new and have occurred in cars built by other manufacturers such as Acura, Genesis, and others. While the web portal vulnerability for Kia was quickly patched, the same group of researchers found similar vulnerabilities in multiple other car manufacturers, including but not limited to Ferrari, BMW, Rolls Royce, Porsche, and Toyota^[4].

The team exploited the Kia web portal vulnerability by leveraging API weaknesses in both the dealer and owner websites. They began by registering on the Kia Connect dealer website using a legitimate registration link sent to customers^[1]^[2]^[3]. By analyzing the backend API communication, they discovered that Kia’s systems inadequately authenticated users in the dealer system. Using this knowledge, they manipulated HTTP requests, modifying headers and tokens to simulate authorized dealer credentials^[1]^[2]^[3]. With the dealer credentials and access token, they were able to find information related to a car’s VIN by accessing the dealer API gateway endpoint, which is essentially an API for dealership functionality^[1]^[2]^[3]. The resulting HTTP response while using the token gave access to the vehicle owner's name, phone number, and email address^[1]^[2]^[3].

Once gaining access to the personal information, the researchers escalated their access to the owner portal by replacing the email associated with a vehicle owner’s account. This step added the attackers as secondary users without alerting the original owner, enabling control over the vehicle^[1]^[2]^[3]. They then sent commands such as unlocking doors, starting engines, or tracking vehicle locations by issuing properly formatted API calls^[1]^[2]^[3]. Due to the lack of notification systems, the researchers were able to do all of this without the owner of the vehicle ever knowing^[1].

https://samcurry.net/web-hackers-vs-the-auto-industry

https://samcurry.net/hacking-kia

https://www.malwarebytes.com/blog/news/2024/09/millions-of-kia-vehicles-were-vulnerable-to-remote-attacks-with-just-a-license-plate-number

https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/

^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ "Hacking Kia: Remotely Controlling Cars With Just a License Plate". samcurry.net. 2024-09-20. Retrieved 2025-02-27.
^ ^a ^b ^c ^d ^e ^f ^g Greenberg, Andy. "Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug". Wired. ISSN 1059-1028. Retrieved 2025-02-27.
^ ^a ^b ^c ^d ^e ^f ^g Arntz, Pieter (2024-09-27). "Millions of Kia vehicles were vulnerable to remote attacks with just a license plate number". Malwarebytes. Retrieved 2025-02-27.
^ "Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More". samcurry.net. 2023-01-03. Retrieved 2025-02-27.

[:0-1] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ "Hacking Kia: Remotely Controlling Cars With Just a License Plate". samcurry.net. 2024-09-20. Retrieved 2025-02-27.

[:1-2] ^ ^a ^b ^c ^d ^e ^f ^g Greenberg, Andy. "Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug". Wired. ISSN 1059-1028. Retrieved 2025-02-27.

[:2-3] ^ ^a ^b ^c ^d ^e ^f ^g Arntz, Pieter (2024-09-27). "Millions of Kia vehicles were vulnerable to remote attacks with just a license plate number". Malwarebytes. Retrieved 2025-02-27.

[4] "Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More". samcurry.net. 2023-01-03. Retrieved 2025-02-27.

[1]

[2]

[3]

[4]