[HN Gopher] Hacking Kia: Remotely Controlling Cars with Just a L...
___________________________________________________________________
Hacking Kia: Remotely Controlling Cars with Just a License Plate
Author : speckx
Score : 234 points
Date : 2024-09-26 14:22 UTC (8 hours ago)
(HTM) web link (samcurry.net)
(TXT) w3m dump (samcurry.net)
| sxcurity wrote:
| Stop connecting vehicles to the internet pls & thanks
| yupyupyups wrote:
| Ok, I wont.
| carabiner wrote:
| Thanks.
| AdamJacobMuller wrote:
| If it's done well, there are some useful features there.
|
| App unlock, remote start + remote temperature control. All very
| useful.
|
| I couldn't imagine buying a car without carplay now.
| rwmj wrote:
| Sorry no. App unlock is a stupid anti-feature, do people
| genuinely think it's better than pressing a keyfob?
|
| Remote start _is_ very useful in very cold climates, but
| guess what, it doesn 't need a phone, an app or the internet.
| My friend in a snowy part of Japan had a radio keyfob that
| did this literally 10 or more years ago. As long as you were
| within about 100 ft of the car you could switch it on and
| turn on the heaters.
| AyyEye wrote:
| I installed an aftermarket remote start kit in the 90s. It
| cost less than $100.
| kube-system wrote:
| Many of the earlier aftermarket remote start kits were
| cheap and simple because the vehicles had fewer security
| features. They are more complex and expensive today, and
| some are questionable in their implementation.
| tspike wrote:
| Right, the point is that complexity is unnecessary.
| toomuchtodo wrote:
| I use my Tesla app to lock and unlock our vehicles all the
| time, in all cases outside of RF range. I have a Twilio
| number wired up I can call, enter a 10 digit code, and it
| will unlock and enable the vehicle to drive in the event I
| have lost my phone and keycard. These are material quality
| of life improvements.
|
| Physical access is required to exploit any unauthorized
| access to the vehicle. What are you going to do? Steal my
| change?
| roywiggins wrote:
| Is it really so much better than an RF keyfob that it's
| worth connecting your car to the Internet for?
| toomuchtodo wrote:
| Yes, I accept the risk and threat model. RF fobs are
| compromised frequently as well. Unless you rip the
| cellular module out of my vehicles, I will find it, and
| someone is just going to break the window if they want
| in.
|
| Edit: Non connected cars for the risk adverse, connected
| cars for those with the risk appetite. The market will
| self sort, even if telematics requires more regulatory
| oversight (they do!).
|
| https://www.google.com/search?q=fob+relaying+theft+attack
| roywiggins wrote:
| Of course, with this Kia attack, it didn't matter if you
| had never used or activated the feature, it was still
| vulnerable. With keyfobs you can just not use it or
| destroy it if you are worried about relay attacks.
|
| Connecting every car to the Internet at all times just in
| case their owners might want to activate a remote start
| feature at some point is _nuts_.
| potato3732842 wrote:
| >Yes, I accept the risk and threat model.
|
| >Edit: Non connected cars for the risk adverse, connected
| cars for those with the risk appetite. The market will
| self sort, even if telematics requires more regulatory
| oversight (they do!).
|
| Seems contradictory. What risk are you actually accepting
| if we're all forced to kick in for some regulator that
| protects you from the majority of the risk?
| toomuchtodo wrote:
| DHS, CISA and NHTSA already exist to provide cyber
| regulatory mechanisms at the intersection of automotive
| and telematics or other software/connected scope. If an
| entity ships shit, apply punitive punishment to the
| offender (NHTSA forces software updates as recalls today,
| but can do much more). Software and connectedness is not
| going away [1] [2], so secure software development,
| actual QA, and real change management must be strongly
| encouraged through incentives. "The beatings will
| continue until the security posture improves."
|
| [1] https://www.techradar.com/pro/security/hackers-are-
| increasin...
|
| [2] https://www.cisa.gov/news-
| events/alerts/2024/09/25/threat-ac...
| almostnormal wrote:
| Risk/threat I would accept. Leaking data - to telcos by
| constantly being connected to some cell tower and
| explicitly to the manufacturer whatever they decide to
| transmit - is the part I don't like.
|
| I don't even carry a phone for that reason.
| natch wrote:
| Nice lifehack; I'm going to do this. Please share more if
| you have them.
| somehnguy wrote:
| Remote start via phone is still useful in cold climates.
| While getting a ride with a friend to my car left at some
| location I've been able to start & get it warmed up before
| we even got off the highway.
|
| It was nice and warm by the time I arrived to it. With only
| a keyfob it would have still been ice cold.
|
| Absolutely not a necessary feature, but I miss it (free
| MyLink subscription expired and I won't pay for it).
| toast0 wrote:
| For safety, you're really not supposed to remote start a
| vehicle if you can't observe it / are in contact with
| someone who is observing it. Lots of potential hazards,
| but it can be convenient.
| Kirby64 wrote:
| With an EV, this isn't a concern. No tailpipe fumes or
| whatnot to worry about. Also, in pretty much any public
| space where you would park it (i.e., outside of your own
| garage), this isn't a concern either.
| Rebelgecko wrote:
| Can you give an example of a hazard? I genuinely can't
| think of one- at least on my car, when you remote start
| it is still locked so it's not like anyone can get in and
| drive it away (and even if someone breaks in I don't
| think it'll go into Drive without a key in the vehicle)
| toast0 wrote:
| If the tailpipe is restricted (by snow, say), you're
| likely to damage the car. If it runs poorly when it
| starts, and it's unsupervised, it could result in damage
| that would have been avoided if you were present and shut
| it down in a reasonable amount of time.
|
| If someone is working on the car (authorized or not),
| they may be injured if it starts without their knowledge.
|
| If it's parked indoors, exhaust gasses are likely to
| build up, leading to a dangerous situation. If you have
| multiple drivers, maybe someone else moved it and you
| didn't know.
| Kirby64 wrote:
| Automatic unlock with a phone is not an anti feature. If it
| replaces your key fob completely, then it's one less thing
| you have to carry. I haven't carried keys of any kind
| for... 6 years at this point?
|
| Also, remote start/temp control that works no matter the
| distance as long as there's internet connectivity is
| superior to a radio based implementation. There's plenty of
| places that are largely RF impermeable, or otherwise
| distance is too far. If you're in a store, 100ft is barely
| any distance, especially with the layers of concrete in the
| way.
| devilbunny wrote:
| > I haven't carried keys of any kind for... 6 years at
| this point?
|
| You do you, of course, but I've absolutely relied on
| physical keys on numerous occasions over the years even
| when electronic methods exist.
|
| Garage door spring broke or power is out, and battery
| died on your electronic house lock? You're not getting
| in.
|
| Keyless fob ignition car ends up in a very strange state
| where, even though I have the fob in my hand and the car
| is running, it won't respond because the doors were
| locked from the inside by the dog? Happened.
|
| Actually had that conversation about the house with my
| wife when she didn't carry house keys: do you want to
| find yourself stuck out of the house while the pets
| freeze or boil because you didn't just carry a damned
| key?
| asdasdsddd wrote:
| The time I save pays for a locksmith many times over. I
| also give my friends/my condo spares so this is never
| actually an issue.
| Kirby64 wrote:
| > Garage door spring broke or power is out, and battery
| died on your electronic house lock? You're not getting
| in.
|
| How, exactly, would this happen simultaneously? Any
| reasonable system should alert you when batteries in your
| locks are running low. Unless you brazenly disregard
| those warnings (since, the low battery at least on mine
| means you still have... weeks left of battery), you will
| always have access. Also, with multiple entry-points into
| the house, you'd need ALL door locks to have their
| batteries die simultaneously. And the power to be out.
| That's a level of redundancy that is just unreasonable.
|
| > Actually had that conversation about the house with my
| wife when she didn't carry house keys: do you want to
| find yourself stuck out of the house while the pets
| freeze or boil because you didn't just carry a damned
| key?
|
| In what world would your pets die because you got locked
| out of the house? You should have AC/heating... and in
| some sort of power outage event (which, also, would
| require you to not be home either), your pets are
| certainly not going to freeze/overheat immediately. In
| such a crazy unrealistic scenario, breaking a window or
| drilling out a lock is a straightforward solution. But
| also, that would require so many multiple events to
| happen simultaneously (to get to needing to break a
| window) that it will never reasonably happen.
| grahamj wrote:
| Yep. I've forgotten or lost keys in the past and been
| locked out, but never have all of my e-locks and garage
| died at once.
| jdminhbg wrote:
| > Keyless fob ignition car ends up in a very strange
| state where, even though I have the fob in my hand and
| the car is running, it won't respond because the doors
| were locked from the inside by the dog? Happened.
|
| This is a good reason to have your car connected to the
| internet, you can use your app to turn it off and unlock
| it.
| mavamaarten wrote:
| Locking my car through the app is a genuinely useful
| feature. Ever parked, left your car, and thought to
| yourself "damn, did I lock my car?". Just lock it through
| the app.
|
| I've had to fetch something from my car while my gf had the
| car keys with her, I could just open it with my phone. It's
| useful.
| asdasdsddd wrote:
| I dont want to carry another stupid fob around. My goal in
| life is to carry a dumb smart phone that can unlock
| anything.
| cryptonector wrote:
| Remote start is also useful in hot climates, and for
| similar reasons.
| AyyEye wrote:
| It's never well done.
| bigstrat2003 wrote:
| It was well done on my previous car and current car. So it
| would appear that your claim does not hold.
| natch wrote:
| It's very well done in my car.
| yreg wrote:
| It's well done in Tesla.
| FriedPickles wrote:
| Unlock via Bluetooth is perfectly viable without internet
| connection (unless you mean unlocking it for someone else?).
| Remote start and temp control should probably work from a few
| hundred feet away. If only phones had a longer range local
| radio, perhaps something like Zigbee. Maybe WiFi direct?
| whiplash451 wrote:
| It just doesn't have to be the internet.
| lowkj wrote:
| CarPlay doesn't use your car's internet, it uses your phone's
| internet. That's part of the whole beauty of it.
| krferriter wrote:
| Yeah, important distinction
| natch wrote:
| Please explain how in your mind are they doing remote
| climate control, then?
| mplewis wrote:
| Through the car's cellular connection.
| natch wrote:
| Why do you give CarPlay credit for those features? No need
| for CarPlay for any of those. What do you get from CarPlay
| that you don't get from a connected car without CarPlay?
| yjftsjthsd-h wrote:
| > What do you get from CarPlay that you don't get from a
| connected car without CarPlay?
|
| Software quality and security updates on the internet-
| facing component.
| morkalork wrote:
| If the car manufacturer can remote unlock and start your car
| for you, it can be abused by a hacker in same way. It's the
| exact same argument against backdoors in encryption for the
| government, if a backdoor works for them, it'll work for
| hackers too.
| kkfx wrote:
| Well... There is no reason to have a middleman like the OEM, so
| the car could be connected just with the formal owner (i.e.
| with a personal subdomain o dyndns), FLOSS stack under users
| control and some hard limits (like you can't act on the car if
| it moving and so on).
| Rebelgecko wrote:
| I would guess 99.9% of car owners who use the app would not
| set up a personal subdomain or manage a FLOSS stack
| thfuran wrote:
| I don't think you have enough nines.
| bityard wrote:
| Well, I am already pretty firmly against buying any car that
| requires you to create an account online to "activate" the
| vehicle. But I definitely won't buy another Kia anyway, based on
| the fact that our last one burned a quart of oil every thousand
| miles WELL before it hit the 100k mark.
| barbazoo wrote:
| > car that requires you to create an account online to
| "activate" the vehicle
|
| I have a 2023 Kia and that's not necessary. You only need the
| account if you want to use the optional online services.
| sahmeepee wrote:
| As the article says, you don't need an active subscription to
| be vulnerable. In this case it seems that if the model
| supports the features at all, you are vulnerable.
|
| This makes sense, because they want people to be able to
| subscribe to their services later without having to visit the
| dealership, so they make it possible to remotely enable the
| service.
|
| I'm not sure if you can buy a tinfoil hat for a car.
| nis0s wrote:
| I was just going to say the same as it's stated pretty
| early in the article
|
| > These attacks could be executed remotely on any hardware-
| equipped vehicle in about 30 seconds, regardless of whether
| it had an active Kia Connect subscription.
|
| If this should tell companies anything is that most of
| these services should be opt-in instead of opt-out in favor
| of security and privacy.
| mikepurvis wrote:
| It should be possible to physically disable the cellular
| modem in the vehicle, wherever that is. I have a 2020 Volvo
| that is definitely online, waiting for me to activate some
| pricey online subscription that I don't want or need.
|
| Would be nice to have a organized online database of how to
| disconnect various "smart" devices-- cars, TVs, appliances,
| etc.
| 0cf8612b2e1e wrote:
| But if it is not online, you will not be able to download
| the latest patches. Like the ones that prevent new remote
| exploits.
| tspike wrote:
| How did we ever survive without computerized vehicles?
| mandevil wrote:
| We tolerated worse gas mileage (computer controlled fuel
| injection, transmission, etc.), safety (anti-lock
| brakes), etc. We added computers because we wanted to
| lessen the effects of climate change and keep more people
| alive.
| hunter2_ wrote:
| In my VW, the cellular modem and something I actually use
| (I think it's the Bluetooth microphone) are in the same
| module, so pulling the fuse or disabling it in the CAN
| gateway would be too heavy-handed. I would need to spend
| hours getting to, and into, the module. Or maybe replace
| the antenna with an effective dummy load / terminator?
| Tons of trim work. Luckily it's old enough to be 2G, and
| my understanding is most towers no longer speak to it, so
| I haven't pursued it further.
| jdminhbg wrote:
| > As the article says, you don't need an active
| subscription to be vulnerable.
|
| OP was talking about not buying a car that requires a
| subscription to activate, not about whether the
| subscription makes you vulnerable.
| 01HNNWZ0MV43FF wrote:
| Otherwise it spies on you with no account
| alexandersvozil wrote:
| i cannot connect to kia anymore, would have bot worked in me
| meindnoch wrote:
| What if we had laws that required car manufacturers to have
| software with slightly better quality than the utter syphilitic
| diarrhea they currently ship?
| diego_moita wrote:
| Ok, lesson learned. Thank you.
|
| I have a Kia Niro EV Wind 2024 and just cancelled my account at
| Kia Connect.
|
| Yes, I felt stupid. But a little less stupid now.
|
| Edit: does anyone know how I could disable Kia's remote access to
| my car? Is there any antenna I could cover with tin foil or a
| chip that can be disconnected?
| aftbit wrote:
| >These attacks could be executed remotely on any hardware-
| equipped vehicle in about 30 seconds, regardless of whether it
| had an active Kia Connect subscription.
| bluSCALE4 wrote:
| Don't feel stupid, feel a little angry. The only thing you
| could have done to prevent this was not buy a Kia.
| EricE wrote:
| It's hardly unique to Kia!
|
| https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
| tptacek wrote:
| This won't have nearly the same impact, but when you're
| considering how vulnerabilities like this might influence your
| future purchasing decisions, remember that Kia's decision to omit
| interlocks from their US vehicles (but not Canadian ones!) led to
| a nationwide epidemic of Kia thefts so large it fed a crime wave,
| something a number of US cities are suing Kia over. If you've
| read about carjacking waves in places like Milwaukee and Chicago:
| that was largely driven by a decision Kia made, which resulted in
| the nationwide deployment of a giant fleet of "burner" cars that
| could be stolen with nothing but a bent USB cable.
| wasteduniverse wrote:
| Don't anthropomorphize the lawnmower and blame Kia for this,
| blame the NHTSA for making it legal to skimp out on
| immobilizers in the first place. Regulations matter!
| tptacek wrote:
| Since Kia/Hyundai is the only automotive group to have this
| problem, I'm going to go ahead continuing to blame them.
| piva00 wrote:
| I agree and still it's also the lack of regulation that
| enabled it to happen, and 2nd order effects of it is the
| increase in carjackings.
|
| It's a pretty good argument for the regulation, since
| everyone else is already doing it just make it the
| standard.
| cryptonector wrote:
| Lmao, good reference to u/bcantrill.
| rideontime wrote:
| ?
| lambda wrote:
| https://news.ycombinator.com/item?id=10040429
| pengaru wrote:
| > Volkswagen has entered the chat
| adolph wrote:
| > If you've read about carjacking waves in places like
| Milwaukee and Chicago: that was largely driven by a decision
| Kia made, which resulted in the nationwide deployment of a
| giant fleet of "burner" cars that could be stolen with nothing
| but a bent USB cable.
|
| "A nationwide epidemic of Kia thefts" seems to be a natural
| consequence of decreased security. However, that carjacking in
| Milwaukee and Chicago specifically would follow from a
| nationwide omission of interlocks is not obvious as the
| vehicles are easily stolen without the need for personal
| confrontation. What is the connection of Kia interlocks to
| carjacking in Milwaukee and Chicago?
| Terr_ wrote:
| > However, that carjacking in Milwaukee and Chicago
| specifically would follow from a nationwide omission of
| interlocks is not obvious as the vehicles are easily stolen
| without the need for personal confrontation.
|
| I think parent-poster means that the easily-stolen cars are
| being used as _tools_ of carjacking, rather than the targets
| of it. In particular, carjacking that occurs by somehow
| provoking a victim to stop on the highway shoulder, a
| location where attackers can 't exactly arrive by foot or bus
| or bike. That way they don't involve a vehicle that might be
| observed and traced back to them.
|
| An alternate explanation is that they meant to write
| something like "theft" and accidentally put down "carjacking"
| instead.
| levocardia wrote:
| This is correct, the usual procedure is: steal kia or
| hyundai with your friends using the no-interlock exploit
| --> find other cars to carjack (at gunpoint), or
| individuals to rob --> ditch stolen cars when no longer
| needed. Exploit no-pursuit policies as needed.
| tptacek wrote:
| I've posted this point a couple times on HN and I guess I
| will keep posting until people stop expressing surprise
| that trivially stealable cars are a precursor to
| carjackings. I'm not dunking, there's no good reason for
| people to intuit that! But it's a really important thing
| to understand.
| adolph wrote:
| Thanks and thanks to the upthread explanations.
|
| Part of what makes it unintuitive is the specificity:
| * Why Milwaukee and Chicago instead of everywhere?
| * Why carjacking and not a general increase in crimes
| that could be facilitated by an unassociated car (bank
| robbery, toll violations, etc)?
| kgermino wrote:
| FWIW the associated crime wave was much broader than
| carjacking (and I'm actually not aware of a particular
| increase in carjackings specifically due to the Kia
| issues but I don't know) but the Kia issues seem to have
| started in Milwaukee.
|
| For whatever reason, it became A Thing here more than a
| year before it went national. Car thefts in Milwaukee
| more than doubled (entirely due to a stupidly large
| increase in Kia/Hyundai thefts) and we got a reputation
| for Kia thefts before it became a national issue
| jeffbee wrote:
| I question whether Milwaukee and Chicago are outstanding
| examples. I looked at a few reputable sources and those
| cities nor their states seem to be extremes in terms of
| car theft rates. Most of these law enforcement agencies
| are not specifically breaking our carjacking.
|
| Random presentation of car theft stats comparing Chicago
| to a handful of others. We hear a lot about Chicago
| because many have a vested interest in deflecting
| discussions about crime. When was the last time you heard
| about the insane motor vehicle theft rate of Dallas? http
| s://public.tableau.com/shared/W2KZH4JC7?:display_count=y.
| ..
| Tool_of_Society wrote:
| Hell Mississippi as a state might soon pass Chicago in
| murder rate per capita. Chicago last year had a murder
| rate of 22.85 per 100,000 while Mississippi had a murder
| rate of 20.7 per 100,000. Louisiana had 19.8 and Alabama
| had 18.6..
| tptacek wrote:
| Chicago isn't even in the top 10 per capita. It's just a
| _very_ big city that everybody forgets is a very big
| city.
| tptacek wrote:
| The phenomenon started in Milwaukee (the "Kia Boys"
| challenge), and I happen to live in Chicagoland, which
| experienced a huge wave of carjackings immediately
| afterwards. I have one of them recorded on my Nest camera
| in the alley behind my house. Nothing in particular about
| those two cities otherwise.
|
| As the sibling points out: it's a broader issue than just
| carjackings --- but the carjackings themselves were
| novel, scared the shit out of people in a way that
| stochastic-seeming strong arm robberies don't. The
| headline here is: it was a gravely negligent thing for
| Kia to have done; I hope they lose their shirts.
| reaperducer wrote:
| _Why Milwaukee and Chicago instead of everywhere?_
|
| It wasn't just in those cities, it was nationwide. The
| poster was using those cities as examples because they
| are familiar to him.
| anarticle wrote:
| "Places like" include Philadelphia. It's not a closed
| set, just some examples. I have friends that have had
| their KIA stolen this way, and others that have outright
| sold their car to get a different brand due to how
| prevalent it is here.
| potato3732842 wrote:
| I'd really like to see a citation for carjackings going
| up more than any other crime that a stolen car enables.
|
| Cars are hard to fence and if you have a stolen car
| there's other crimes you can commit that have similar
| upsides and lower sentences/risks. For example ATMs never
| run over your buddies or shoot back at you.
| tptacek wrote:
| Carjacked cars are usually recovered. They're not
| carjacked so they can be sold on some weird car black
| market.
| op00to wrote:
| All stolen cars are usually recovered. The recovery rate
| is something like 85%.
| Eumenes wrote:
| > something a number of US cities are suing Kia over
|
| I can think of nothing more American than suing car
| manufactures because they're too easy to steal. The US is truly
| screwed.
| tptacek wrote:
| They're being sued because they deliberately made the cars
| _easier_ to steal in the US than they are elsewhere.
| wallaBBB wrote:
| Regarding the Kia Boyz - immobilizers have been mandatory in
| most of Europe since late 90s, in Canada since 2007. Basically
| there is something to put on (lack of) regulations as well as
| on HKMC.
| Sohcahtoa82 wrote:
| In the USA, we believe we don't need regulations, the Free
| Market(tm) will punish corporations that don't behave in a
| way that benefits their customers!
|
| Insane to me that so many people believe this...
| op00to wrote:
| I'll certainly never buy another Korean car.
| thfuran wrote:
| And never an American one after the Pinto, and never a
| German one after the VW testing scam, and never a
| Japanese one after the recent safety scandal? I guess you
| can still get a Jaguar, so your mechanic won't complain.
| throw10920 wrote:
| Citation needed for the claim any significant fraction of
| the US population believe that regulations are completely
| unnecessary.
|
| This runs directly contrary to my lived experience here, so
| unless you can provide evidence it sure seems like you're
| just engaging in ideological warfare.
| vasco wrote:
| From my understanding immobilizer bypass tools are cheap and
| plenty.
| acdha wrote:
| Even if that's true, they are clearly nowhere near as
| "cheap and plenty" as watching a Tik Tok video. The spike
| in crime was far greater than normal random variation.
| wallaBBB wrote:
| Not really. At least not for those immobilizers that don't
| use "proprietary" ciphers. Automotive loves security
| through obscurity until it bites them in the ass. Today
| most manufacturers have moved to AES128, which is not cheap
| to brute force, especially if there is a rolling code
| (should be the case for many)
|
| But you are right that there are many (older models) that
| use ciphers with know quick exploits: TI's DTS40/DTS80
| (40/80bit, proprietary cipher, in many cases terrible
| entropy), models from Toyota, HKMC, Tesla. About 6s to
| crack in many cases.
|
| NXP's HTAG2 - most commonly used one in the '00s - 48bit
| proprietary cipher, a lot less exploited in the wild than
| the TI's disastrous two variants.
| mass_and_energy wrote:
| We Canucks needs all the features we can get to stop cars from
| being stolen, without exaggeration a car is stolen in Canada
| every 5 minutes on average.
| SpaghettiCthulu wrote:
| Too bad the only thing our current government can think to do
| is ban the FlipperZero.
| aftbit wrote:
| Wait a moment, the key vulnerability appears to be that anyone
| could register as a dealer, but also any dealer could lookup
| information on any Kia even if they didn't sell it or if it was
| already activated!? That seems insane. What if a dealership
| employee uses this to stalk an ex or something?
| lambada wrote:
| A Kia authorised dealer being able to look up any Kia has some
| very useful benefits (for the dealer, and thus Kia).
|
| If a customer has moved into the area and you're now their
| local dealer they're more likely to come to you for any
| problems, including ones involving remote connectivity
| problems. Being able to see the state of the car on Kia's
| systems is important for that.
|
| Is this a tradeoff? Absolutely. Can you make the argument the
| trade off isn't worth it? Absolutely. But I don't think it's an
| unfathomably unreasonable decision to have their dealers able
| to help customers, even if that customer didn't purchase the
| car from that dealer.
| conductr wrote:
| Those aren't the only options. It would be trivial change to
| allow any dealer to request access to any vehicle and have it
| tied to the active employees SSO or something similar that at
| least leave an audit trail and prevents such random access.
| Allowing anyone to be a dealer is the real oversight. They
| could put some checks in place also to prevent the stalker
| situation GP mentioned. It's always going to be possible but
| reduces risk a lot if employee just has to ask someone else
| to approve their access request, even if it's just a rubber
| stamp process making sure the vehicle is actually in need of
| some service
| aftbit wrote:
| In my opinion, the better way to design such a thing would be
| for there to be a private key held in a secure environment
| inside the car which is used to sign credentials which offer
| entitlements to some set of features.
|
| So for example, when provisioning the car initially, the
| dealer would plug into the OBDii port, authenticate to the
| car itself, and then request that the car sign a JWT (or
| similar) which contains the new owner's email address or Kia
| account ID as well as the list of commands that a user is
| able to trigger.
|
| In your scenario, they would plug into the OBDii port,
| authenticate to the car, and sign a JWT with a short
| expiration time that allows them to query whatever they need
| to know about the car from the Kia servers.
|
| The biggest thing you would lose in this case is the ability
| for _any_ dealer to geolocate any car that they don't have
| physical access to, which could have beneficial use cases
| like tracking a stolen car. On the other hand, you trade that
| for actual security against any dealership tracking any car
| without physical access for a huge range of nefarious
| reasons.
|
| Of course, those use cases like repossessing the car or
| tracking a stolen vehicle would still be possible. In the
| former, the bank or dealership could store a token that
| allows tracking location, with an expiration date a few
| months after the end of the lease or loan period. In the
| latter, the customer could track the car directly from their
| account, assuming they had already signed up at the time the
| car was stolen.
|
| You could still keep a very limited unauthenticated endpoint
| available to every dealer that would only answer the question
| "what is the connection status for this vehicle?" That is a
| bit of an information leak, but nowhere near as bad as being
| able to real-time geolocate any vehicle or find any owner's
| email address just given a VIN.
| folmar wrote:
| This is quite common in Europe. There is normally no special
| relationship with the original dealer and the service history
| is centralised for most manufacturers.
| belthesar wrote:
| That's not a benefit to me if I can't control how someone
| gets access to my vehicle, dealership or not. If I want a
| dealership to be able to assist me, I should have to
| authorize that dealership to have access, and have the power
| to revoke it at any time. Same for the car manufacturer. It
| ideally should include some combination of factors including
| a cryptographic secret in the car, and some secret I control.
| Transfer of ownership should involve using my car's secret
| and my car's secret to transfer access to those features.
|
| If you feel like this sound like an asinine level of
| requirements in order for me to feel okay with this
| featureset, I'd require the same level of controls for any
| incredibly expensive, and potentially dangerous liability in
| my control that has some sort of remote backdoor access via a
| cloud. All of this "value add" ends up being an expense and a
| liability to me at the end of the day.
| lofaszvanitt wrote:
| Security is an afterthought... nobody cares, until shit hits
| the fan.
| dns_snek wrote:
| > What if a dealership employee uses this to stalk an ex or
| something?
|
| Yes, and everyone should remember this the next time these
| companies and their lobbyist run TV ads telling you that your
| wives and daughters will be stalked and raped in a parking lot
| if Right to repair is allowed to pass.
| k8sToGo wrote:
| What if the internet is used for that?
| troyvit wrote:
| Yeah for some reason I find it so creepy that Kia ties your
| license plate number to your car's functionality. I don't know
| why but I feel like those two things should operate
| exclusively.
| aftbit wrote:
| License plates are incredibly insecure. They are a short,
| easy to automatically recognize ID that is expensive to
| change, and it is a crime to drive while they are covered.
| mlsu wrote:
| There are no new cars on the market today that don't have a slew
| of connected """features""", right?
|
| Will it ever be possible to have a non-connected car? If so, how?
| What would it actually take? This is not a ranty rhetorical
| question -- I'm actually wondering.
| MarkusWandel wrote:
| Don't know about 2024, but my 2023 Honda Civic EX-B (Canadian
| market) is actually pretty old school. Yes, it has the keyless
| unlock and even a remote engine start button on the keyfob (can
| be disabled, thankfully - car is parked inside and we have
| kids!) But no cellular connectivity, no wifi, and all the
| touchscreen stuff is "extra icing" - all the controls you need
| are there in physical form except for some radio and cell phone
| call functions. Yes, the car may be vulnerable to signal boost
| kind of attacks (to pretend the keyfob is nearby when it's not)
| and possibly the "pop off a headlight and get into the CANbus"
| attack. But no cloud dependency and no way for the cloud to
| reach in and mess things up. Also, the software it does have
| seems "debugged" based on a year of using it.
| gen3 wrote:
| Your Honda almost certainly has HondaLink, which connects via
| cellular https://www.honda.ca/en/hondalink/hondalink-2?year=2
| 023&mode... and they're probably selling your location data
| to databrokers https://www.eff.org/deeplinks/2024/03/how-
| figure-out-what-yo...
| MarkusWandel wrote:
| Glad to say it doesn't. Only the top-of-the-line "Touring"
| model is shown as compatible with HondaLink.
| akyuu wrote:
| It would be interesting to have a list of modern cars without
| these kind of connected features, but I haven't found any.
| bdcravens wrote:
| Cut the cords to the cellular module
| gnopgnip wrote:
| You can pull the fuse on a ford maverick and it physically
| disables the telemetry. You could also opt out and disable it
| through the settings. Remote start from your keyfob still
| works. As expected remote start, seeing where you parked,
| remotely locking the car through the ford app will not work.
| cryptonector wrote:
| In the U.S., by 2026, all new cars must have a "kill switch",
| and that includes a remote operation. The requirement is about
| preventing drunk driving, but it's being interpreted by many to
| require a kill switch.
|
| Here's the NHTSA report to Congress about this:
|
| https://www.nhtsa.gov/sites/nhtsa.gov/files/2023-07/Report-t...
|
| > Section 24220, "ADVANCED IMPAIRED DRIVING TECHNOLOGY," of the
| Bipartisan Infrastructure Law (BIL), enacted as the
| Infrastructure Investment and Jobs Act (IIJA), directed that
| "not later than 3 years after the date of enactment of this
| Act, the Secretary shall issue a final rule prescribing a
| Federal motor vehicle safety standard (FMVSS) under section
| 30111 of title 49, United States Code, that requires passenger
| motor vehicles manufactured after the effective date of that
| standard to be equipped with advanced drunk and impaired
| driving prevention technology." Further, the issuance of the
| final rule is subject to subsection (e) "Timing," which
| provides for an extension of the deadline if the FMVSS cannot
| meet the requirements of 49 USC 30111.
|
| Now, I don't see anything in there about a "rmeote switch", and
| I don't understand how the "remote" bit would work to prevent
| DUI.
| notjulianjaynes wrote:
| I wonder how well current adaptive cruise control/collision
| prevention technology works to _help_ someone safely drive
| drunk. I don 't own a car with these features but once rented
| a 2021 Nissan for a road trip and just set the cruise control
| to 70 and it would maintain a safe distance from other cars
| automatically down to like 20 mph iirc. I didn't, but I
| probably could have been drunk and driven that car without
| much issue, not that I am advocating for this.
|
| There's probably already a bunch of data being collected
| about cars parked at e.g. a bar for a few hours that's being
| used to train some AI to detect driving behaviors associated
| with drunk driving or something like that.
| cryptonector wrote:
| If I ever get pulled over for weaving I might just blame it
| on lane assist.
| EricE wrote:
| Anything in the last 10 years is probably ratting you out
| already.
|
| https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
| hollow-moe wrote:
| depends how wide is your definition of "connected features".
| all modern vehicles in the EU are required to have the eCall
| feature which uses cell to send your location in case of a
| crash. Since the hardware is in there I have absolutely no
| faith in car makers/govs to not use it for other purposes (now
| or in the future) https://en.m.wikipedia.org/wiki/ECall
| r00fus wrote:
| As a Kia owner, this was what I was hoping for immediate term,
| FTA: "These vulnerabilities have since been fixed, this tool was
| never released, and the Kia team has validated this was never
| exploited maliciously."
|
| Kia still has a lot of work to do because of bad decisions, but
| at least my vehicle isn't ripe for theft/abuse.
| seanw444 wrote:
| > but at least my vehicle isn't ripe for theft/abuse.
|
| From this particular vulnerability. If anything, I'd still be
| concerned.
| randomstring wrote:
| The obvious next step is to crawl the whole database of
| vulnerable Kia cars and create a "ride share" app that shows you
| the nearest Kia and unlocks it for you.
| trinsic2 wrote:
| LOL.
| not_a_dane wrote:
| How much time would you need to redevelop KIAtool with AI?
| jmyeet wrote:
| Where's the strict product liability here? Like, if Kia is making
| a car that's easy to steal and it gets stolen, why isn't that
| Kia's fault and they're responsible for the damages? We're
| talking gross negligence here.
|
| There have been demonstrations of hacking cars remotely to gain
| control of it. You could quite literally kill someone this way.
| This should 100% be the responsibility of the car maker.
|
| Why do we let these companies get away with poor security? It's
| well beyond time we hold them financially and legally responsible
| for foreseeable outcomes from poor security practices.
|
| That doesn't mean any vulnerability incurs liability necessarily.
| A 0day might not meet the bar for gross negligence. But what if
| you were told about the vulnerability and refused to upate the
| software for 2 years because a recall like that costs money? Or
| what if you released software using versions with known
| vulnerabilities because you don't want to pay for upgrading all
| the dependencies?
| bdcravens wrote:
| EV6 owner here. Scary stuff, but honestly, I'm not shocked. I
| feel like the EV6 is one of the better available EVs, but is
| hindered by Kia, based on the experience I've had dealing with
| the app and the dealerships.
| georgeburdell wrote:
| I've been telling my friends who want to avoid Tesla that an
| electric Kia is still a Kia
| cryptonector wrote:
| > The License Plate to VIN form uses a third-party API to convert
| license plate number to VIN
|
| I guess that exists to make life easier for police. And because
| all patrol car laptops nation-wide need this, it really can't be
| authenticated meaningfully?
| emsign wrote:
| Looks to me like all cars sold by KIA are still owned by KIA. I'm
| not worried about that exploit at all, it has been fixed. I'm
| terrified about how much data about a car and therefore about the
| "owner" is available to KIA. That's totally insane.
| cryptonector wrote:
| Not just KIA. Most if not all major automobile manufacturers
| track a huge amount of data on the vehicles [and their
| owners/operators]. For example, many vehicles come with that
| OnStar thing, and so they have a baseband processor and even
| LTE as well as a GPS receiver, and it's always on even if you
| don't pay for the service, which means that the manufacturer
| gets to know your vehicle's location and all the places you go
| and the routes you take.
| hathawsh wrote:
| OTOH, OnStar's remote disable feature is pretty compelling
| for consumers. It's not hard to find YouTube videos [1] of
| thieves being thwarted safely.
|
| [1] https://www.youtube.com/watch?v=d9FbBgG2axE
| lofaszvanitt wrote:
| After your phone which is the ultimate oppressor device, now
| your car is also snitching on you. Nice future ahead of us.
| grahamj wrote:
| I question some of this though. I have an older Kia that I'm
| pretty sure has no cell modem yet the support table shows it
| can be geolocated.
| EricE wrote:
| If you own a car since about 2010 onwards it's probably ratting
| you out already.
|
| https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
| exabrial wrote:
| By law, we need to be able to disconnect cars from the cell
| network. This is stupid.
| divbzero wrote:
| By law, we need to be able to disconnect any product whose core
| functionality does not depend on the network.
| grubbs wrote:
| Glad my VW only had a 3G antenna built in. No longer works in the
| US.
| vlark wrote:
| I just want a car that is as dumb as it can be while meeting all
| federal regulations to the highest degree. How hard can that be?
___________________________________________________________________
(page generated 2024-09-26 23:00 UTC)