This is the second time in a week that I am going to say this. My wife and I are keeping our current car until it dies. But instead of potential privacy issues, it’s due to the fact that cars these days are connected to the Internet. Which means that they could be pwned. Here’s an example of that:
Today, a group of independent security researchers revealed that they’d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.
After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group’s findings and hasn’t responded to WIRED’s emails since then. But Kia’s patch is far from the end of the car industry’s web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias’ digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.
“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,” says Neiko “specters” Rivera, one of the researchers who both found the latest Kia vulnerability and worked with a larger group responsible for the previous collection of web-based car security issues revealed in January of last year.
“Over and over again, these one-off issues keep popping up,” says Sam Curry, another member of the car hacking group, who works as a security engineer for Web3 firm Yuga Labs but says he did this research independently. “It’s been two years, there’s been a lot of good work to fix this problem, but it still feels really broken.”
This isn’t just a bad look for Kia. It’s a bad look for the entire car industry. George McGregor, VP, Approov Mobile Security had this to say:
“This shows how mobile app security and backend API security must be considered together. The attacker was able to copy the apps behavior and the backend checks were not sufficient to distinguish these requests from those from a valid app.
“In fact the API needs contextual information about what is going on in the device and the app to be able to prevent this kind of vulnerability being exploited. And the assessment of device and app needs to be thorough and happen continuously so that every request is validated as being legitimate.
“An effective app attestation solution such as the one from Approov can easily stop unauthorized apps, bots, cloned mobile apps or scripts from accessing your APIs and provide a Zero Trust approach that prevents this kind of exploit. “
The car industry simply needs to do better when it comes to security. Because at present, it looks like they as a whole don’t take security very seriously. Though they are free to prove me wrong at any time by describing how they are going to do better on this front and how long that will take.
Like this:
Like Loading...
Related
This entry was posted on September 27, 2024 at 10:40 am and is filed under Commentary with tags Kia. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Kia Cars Can Be Pwned In Epic Fashion
This is the second time in a week that I am going to say this. My wife and I are keeping our current car until it dies. But instead of potential privacy issues, it’s due to the fact that cars these days are connected to the Internet. Which means that they could be pwned. Here’s an example of that:
Today, a group of independent security researchers revealed that they’d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.
After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group’s findings and hasn’t responded to WIRED’s emails since then. But Kia’s patch is far from the end of the car industry’s web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias’ digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.
“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,” says Neiko “specters” Rivera, one of the researchers who both found the latest Kia vulnerability and worked with a larger group responsible for the previous collection of web-based car security issues revealed in January of last year.
“Over and over again, these one-off issues keep popping up,” says Sam Curry, another member of the car hacking group, who works as a security engineer for Web3 firm Yuga Labs but says he did this research independently. “It’s been two years, there’s been a lot of good work to fix this problem, but it still feels really broken.”
This isn’t just a bad look for Kia. It’s a bad look for the entire car industry. George McGregor, VP, Approov Mobile Security had this to say:
“This shows how mobile app security and backend API security must be considered together. The attacker was able to copy the apps behavior and the backend checks were not sufficient to distinguish these requests from those from a valid app.
“In fact the API needs contextual information about what is going on in the device and the app to be able to prevent this kind of vulnerability being exploited. And the assessment of device and app needs to be thorough and happen continuously so that every request is validated as being legitimate.
“An effective app attestation solution such as the one from Approov can easily stop unauthorized apps, bots, cloned mobile apps or scripts from accessing your APIs and provide a Zero Trust approach that prevents this kind of exploit. “
The car industry simply needs to do better when it comes to security. Because at present, it looks like they as a whole don’t take security very seriously. Though they are free to prove me wrong at any time by describing how they are going to do better on this front and how long that will take.
Share this:
Like this:
Related
This entry was posted on September 27, 2024 at 10:40 am and is filed under Commentary with tags Kia. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.