Autonomous Car Hacking

 

Hackers Could Have Remotely Controlled Kia Cars Using Only License Plates

Cybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia vehicles that, if successfully exploited, could have allowed remote control over key functions simply by using only a license plate.

"These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription," security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll said.

The issues impact almost all vehicles made after 2013, even letting attackers covertly gain access to sensitive information including the victim's name, phone number, email address, and physical address.

Essentially, this could then be abused by the adversary to add themselves as an "invisible" second user on the car without the owner's knowledge.

The crux of the research is that the issues exploit the Kia dealership infrastructure ("kiaconnect.kdealer[.]com") used for vehicle activations to register for a fake account via an HTTP request and then generate access tokens.

The token is subsequently used in conjunction with another HTTP request to a dealer APIGW endpoint and the vehicle identification number (VIN) of a car to obtain the vehicle owner's name, phone number, and email address.

What's more, the researchers found that it's possible to gain access to a victim's vehicle by as trivially as issuing four HTTP requests, and ultimately executing internet-to-vehicle commands -

• Generate the dealer token and retrieve the "token" header from the HTTP response using the aforementioned method
• Fetch victim's email address and phone number
• Modify owner's previous access using leaked email address and VIN number to add the attacker as the primary account holder
• Add attacker to victim vehicle by adding an email address under their control as the primary owner of the vehicle, thereby allowing for running arbitrary commands

"From the victim's side, there was no notification that their vehicle had been accessed nor their access permissions modified," the researchers pointed out.

"An attacker could resolve someone's license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk.

 In a hypothetical attack scenario, a bad actor could enter the license plate of a Kia vehicle in a custom dashboard, retrieve the victim's information, and then execute commands on the vehicle after around 30 seconds.

Following responsible disclosure in June 2024, the flaws were addressed by Kia as of August 14, 2024. There is no evidence that these vulnerabilities were ever exploited in the wild.

"Cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to take over your Facebook account, car manufacturers could do the same for your vehicle," the researchers said.

Threats, Scientist, Researchers and US Government

Dialogue without data is a waste of time. That’s what members of a new U.S. National Academies of Sciences, Engineering, and Medicine panel looking into the threat posed by other countries trying to steal federally funded research yesterday warned a panel of U.S. government watchdogs.

Members of the National Science, Technology, and Security Roundtable—formed last year to promote discussions among federal officials, academic leaders, and national security experts—complained that presentations from a trio of major research agencies lacked the baseline data needed to determine the scope of the problem and what the research community can do to minimize risks.

“I hope you can sense our frustration,” Maria Zuber, a co-chair of the roundtable and vice president for research at the Massachusetts Institute of Technology, said at the end of a 2-hour online session. “It’s impossible for us to gain an understanding of the challenge we face with the information we are being given.”

Yesterday’s meeting, the third hosted by the roundtable, featured presentations from officials at the National Science Foundation (NSF), the Department of Energy (DOE), and the parent agency of the National Institutes of Health (NIH) who investigate all manner of waste, fraud, and abuse of federal funds. Their workloads have risen sharply in the past few years, they told the panel. And they said the rise has been driven by investigations of U.S. scientists alleged to have failed to disclose their ties to China’s foreign talent recruitment programs.

For example, NSF’s Inspector General Allison Lerner said allegations of foreign influence now make up more than 50% of the office’s overall portfolio. That compares with 7% in 2017, she said, before NSF took on its first case. Her 16-person investigations staff feels “overwhelmed,” she added. But Lerner repeatedly declined to say how many investigations her office is now conducting or how many involve foreign influence and emphasized that “our work remains invisible” until the U.S. government announces it has filed criminal or civil charges against an individual.

Her analysis didn’t satisfy roundtable co-chair John Gannon, a former senior government intelligence official. “Fifty percent of what?” he asked Lerner. “Is it a few bad apples or a major trend?”

Gannon had a similar response to a presentation by DOE’s head of investigations, Lewe Sessions. Sessions said his office has 35 active cases involving grantees who allegedly have undisclosed ties to foreign talent programs, including 24 researchers at U.S. universities. That represents a 200% increase “over previous years,” he noted. But Sessions couldn’t provide a more specific timeframe for the rise or characterize what share of his office’s total workload is taken up by such cases.

“What’s the overall population” of researchers involved? Gannon asked Sessions. “Without a baseline, I can’t grasp the scale of the problem.”

In an attempt to demonstrate the seriousness of the threat, Lerner offered an anonymous case study involving an undisclosed agreement between an NSF grantee and an institution affiliated with the Chinese government. The agreement, in Mandarin, contained provisions requiring the scientist to hire certain individuals, set targets for the number of publications and patents stemming from the research, and even described what topics should be pursued.

That agreement was news to NSF, she said, and represented deviations from accepted research practices that invalidated the terms of a grant that NSF had given the researcher. Lerner said the example demonstrated the need for university officials to track down and read such contracts signed by faculty members to ensure they don’t violate university or federal policies regarding conflicts of time commitments and ethical behavior.

But roundtable member Edward Bruce Held, a retired CIA agent and former head of DOE’s nuclear weapons labs, had a more basic question that went unanswered: “Is there any reason to believe that this contract is the norm?... I understand that such language is unacceptable, but does the [Chinese government] do this for a lot of people, or a just a few?”

The lack of baseline data also makes it hard for scientists to know whether recent steps taken to address the issue—such as having funding agencies clarify disclosure rules for scientists and universities and spend more time vetting international collaborations—are paying off, says Zuber, a planetary scientist and co-chair of the President’s Council of Advisors on Science and Technology. “Federal agencies and universities have been raising their game, but are we seeing any benefit?” Zuber asked. “If we want our faculty to do extra things and it’s not helping, then we have some serious explaining to do to our colleagues.”

Zuber noted that panel members understood that the investigators were “constrained” in how much information that they could release. “But we’re not going away,” she said. “We’ll keep asking these questions.”