265 sats \ 1 reply \ @fanis 20h \ on: Hacking Kia Car: Remotely Controlling Cars With Just a License Plate security
TL;DR:
- Kia didn't properly protect its endpoint for registering new dealers, allowing anyone to register as a car dealer
- with dealer privilege, you can access a car's owner personal details from Kia's API, using only their vehicle's VIN, which can be derived from their license plate
- you can even revoke their ownership of the vehicle, and put yourself as owner instead. Being owner means you can unlock, lock, or even start the car from the Kia app. You basically just stole the car, and there was no notification alerting the actual owner.
No go read the full thing, it's pretty well-written.
reply