Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Two years ago, Sam Curry and friends released one of the most banger blog posts ever - hacking every car company. After some time, they decided to come back to see if things had changed. This time, they took a look at Kia. Originally, they had focused on owners.kia.com and the Kia iOS app because they can remotely execute commands. The owners website used a backend reverse proxy to forward user commands to api.owners.kia.com whereas the mobile app talked to this directly.

This time around, they decided to tackle the problem from the dealers side. From talking with friends, they learned that Kia would ask for an email at the dealership and you'd receive a registration link for a new Kia account or add the car to your pre-existing account. They got the actual link from a friend and started playing around with it.

The linking request contained a vin and a token known as the Vin Key. This key is an access token generated by the Kia dealer for a one-time grant to modify the vehicle information. Under the hood, this was using the same API at owners.kia.com but once again through a reverse proxy. They were curious if more functionality existed on this API than they knew about. After digging through the JavaScript they found a function used for looking up accounts and vehicles that appeared to be employee-only functionality.

Trying to interact with this endpoint returned an error relating to not having a proper access token. So, what if we can register on the dealer website? They copied the format from other endpoints relating to users and it just worked on the dealer website! They logged into the dealer website to generate a dealer token and it actually worked.

With this, they went through the JavaScript to understand the functionality that had been unlocked. They could search for car information based upon a VIN number. What they wanted though was to remotely takeover the car! From sifting through JavaScript they found a chain of 7ish API calls that allowed them to execute commands on the car. This was a user lookup, and attacker account linking to their account and finally executing the commands. This affects every Kia made after 2013. Neat!

They rented a car to see this work, which is hilarious. Like this one, many of the coolest vulnerabilities come from deep recon and understanding your target well. The idea of changing endpoints for the registration request seems simple but getting there was complicated. Mitigating this doesn't seem very trivial but the timeline of 2 months seems too long. Good write up!