CVE-2024-51074 identifies an incorrect access control vulnerability in the instrument cluster of the KIA Seltos vehicle, specifically in software and hardware version 1.0. The instrument cluster interfaces with the vehicle's CAN (Controller Area Network) bus, which is used for communication between various electronic control units (ECUs). The vulnerability allows an attacker with access to the CAN network to send crafted messages that arbitrarily increase the odometer reading. This is possible because the instrument cluster does not properly restrict access to the odometer value modification commands. However, the supplier disputes the practical impact, arguing that the CAN bus is not exposed externally, limiting attack vectors to physical or highly privileged access scenarios. Furthermore, the odometer can only be incremented, not decremented, which reduces the potential for fraud or manipulation. The test environment used to discover this issue was an isolated ECU, not a fully integrated vehicle, which may not reflect real-world conditions. The observed behavior is consistent with the Unified Diagnostic Services (UDS) protocol, which defines diagnostic communication in vehicles. The CVSS 3.1 score of 6.7 reflects a medium severity, with attack vector classified as physical access (AV:P), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) affecting confidentiality, integrity, and availability to varying degrees. No patches or exploits are currently reported.

The primary impact of this vulnerability is the potential manipulation of the vehicle's odometer reading, which can affect vehicle resale value, warranty claims, and maintenance records. While the ability to only increase the odometer limits some fraudulent uses, it still undermines trust in vehicle data integrity. There is no direct impact on vehicle safety or operational control, so the risk to driver safety or vehicle availability is low. However, organizations involved in vehicle fleet management, resale, or leasing could face financial and reputational risks if odometer tampering occurs undetected. The requirement for physical or CAN network access limits the scope of exploitation, reducing the likelihood of widespread attacks. The lack of known exploits in the wild further reduces immediate risk, but the vulnerability highlights potential weaknesses in vehicle network security and access controls that could be exploited in more complex attack scenarios.

To mitigate this vulnerability, organizations and vehicle owners should ensure that physical access to the vehicle's CAN bus is strictly controlled and monitored. Automotive service centers and fleet operators should implement secure diagnostic procedures that restrict unauthorized access to the instrument cluster and CAN network. Manufacturers should consider firmware updates that enforce stricter access controls on odometer modification commands, including authentication and integrity checks aligned with the UDS protocol. Deployment of intrusion detection systems (IDS) for in-vehicle networks can help detect anomalous CAN messages indicative of tampering attempts. Additionally, integrating cryptographic protections and secure boot mechanisms in ECUs can prevent unauthorized firmware or message injection. Regular audits and inspections of vehicle instrument clusters and odometer readings can help detect inconsistencies early. Collaboration with suppliers to validate test environments and ensure realistic security assessments is also recommended to avoid false positives or underestimations of risk.