#issessions ## Kia Vehicles Vulnerability: Remote Hacks via License Plate **Overview** - **Discovery**: Found by independent researcher Sam Curry in a September 26 report - **Background**: Part of follow-up research on vulnerabilities in vehicles from Kia, Honda, Infiniti, Nissan, Acura, BMW, Mercedes, and others **Vulnerability Details** - **Exploitation Method**: - Utilized Kia's dealer portal to gain unauthorized access - Required only a license plate number to retrieve the Vehicle Identification Number (VIN) - Allowed attackers to modify user accounts and execute vehicle commands - **Commands Possible**: - Unlock/lock doors - Start/stop engine - Honk horn - Locate vehicle **Security Breach Consequences** - **Data Compromise**: Access to personal information such as names, emails, and addresses - **Covert Access**: Attackers could add themselves as secondary users without owner notification **Mitigation and Response** - **Discovery and Disclosure**: Vulnerability found in June 2024 - **Patch Released**: Kia addressed the vulnerabilities by mid-August 2024 - **No Known Exploitation**: No evidence of malicious use before patching **Implications for Automotive Security** - Highlights ongoing cybersecurity challenges in connected vehicles - Emphasizes need for robust security measures in automotive systems